Hi,
> you mean like the "information leak" that occurs when your DNS server
> answers queries?
DNS has a couple of information leak vulnerabilities inherent in its design,
including the domain listing function *ls* in *nslookup* and zone transfers.
The *ls* function used to list all the hosts in a domain. Almost no modern DNS
servers respond to the *ls* command though, so it isn't much to worry about.
Zone transfers are worth worrying about. They're used to transfer all the zone
data for a specific zone to a slave server for that zone. Without zone transfer
security, though, anyone can perform a zone transfer and get a list of all hosts
in the zone. Restricting zone transfers in one of the key tenet of DNS security.
Zone transfers should always be restricted so that only the slave server or
servers for a particular zone can perform a zone transfer. Restriction can be
done either by the IP address of the system allowed to perform transfers or by
encryption keyes so that any system with the proper key can perform a zone
transfer.
If possible, you should have two sets of DNS servers. One set for external
clients should be located in the DMZ and should host only the zones and records
that are absolutely necessary. Internal DNS servers are located in the internal
network and serve internal clients. This seperation of internal and external DNS
servers limits the possibility of *information leaks* and DNS poisining.
Marco
_________________________________________________________________
This mail is sent through MUW Webmail: http://www.MUW.Edu/webmail
For the latest MUW Events, visit http://www.MUW.Edu/calendar
|
