There is a difference between answering an individual request for a
hostname or IP through UDP53
and a complete zone transfer of domain.com via TCP53
One takes no effort at all to get all the information within that
zone.
The other takes a bit more effort.
Simon.
>>> Bill Manning <bmanning@xxxxxxx> 05/27/03 04:37pm >>>
% Hi,
%
% > Are there any actual threats in allowing any server to have zone
transfers
% > from one's machine? I mean they will posion their own cache's that
all. What
% more > harm can they do?
%
% How about *Information Leak* that causes private information (such as
the
% host-to-IP mappings on your DNS server) to end up in the hands of an
% unauthorized person. Information leak isn't usually the method for
direct
% attacks, but they do provide an attacker with valuable information
about the
% configuration of your systems. They can therefore be used to find
% vulnerabilities for a later attempt at disabling or intruding into
your core
% network.
%
% Marco
you mean like the "information leak" that occurs when your DNS
server
answers queries?
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or
otherwise).
|
