Vulnerability Development mailing list archives
Re: DNS zone transfer
From: Ed Schmollinger <schmolli () frozencrow org>
Date: Mon, 10 Jun 2002 09:02:23 -0500
On Sun, Jun 09, 2002 at 04:18:38PM -0700, David Schwartz wrote:
On Sun, 9 Jun 2002 13:28:39 -0300, Maximiliano Perez wrote:They can restrict it via: - Filtering port 53/tcp, try telneting.They can't filter port 53/tcp if the are authoritative for any domains. Support for TCP queries is not optional.
No, they can't filter port 53/tcp if they expect zone transfers or large responses to work. Being authoritative is independent of the query mechanism. RFC compliance requires that TCP support be present, but for most setups, it can be safely disabled (via FW rules or whatever) for non-secondaries. The security (conscious|zealots) like to disable TCP because it's harder to get an interactive shell on a machine if you can only talk to it through UDP. -- Ed Schmollinger - schmolli () frozencrow org
Current thread:
- DNS zone transfer Vlad (Jun 08)
- Re: DNS zone transfer Short_Circut (Jun 08)
- RE: DNS zone transfer Vlad (Jun 09)
- RE: DNS zone transfer Maximiliano Perez (Jun 09)
- RE: DNS zone transfer David Schwartz (Jun 09)
- Re: DNS zone transfer Ed Schmollinger (Jun 10)
- RE: DNS zone transfer Maximiliano Perez (Jun 10)
- Re: DNS zone transfer Deus, Attonbitus (Jun 10)
- Re: DNS zone transfer Frank Knobbe (Jun 11)
- RE: DNS zone transfer Vlad (Jun 09)
- Re: DNS zone transfer Short_Circut (Jun 08)
- RE: DNS zone transfer Brad Bemis (Jun 09)
- Re: DNS zone transfer Olaf Kirch (Jun 10)
- RE: DNS zone transfer Terry Grace (Jun 10)
- Re: DNS zone transfer Edwin Groothuis (Jun 10)
- Re: DNS zone transfer Jefferson Ogata (Jun 11)