RE: DNS zone transfer

From: Maximiliano Perez (mpat_private)
Date: Mon Jun 10 2002 - 07:34:49 PDT

  • Next message: John C. Hennessy: "internet explorer view-source url"

    We were not talking about standards or rfcs. We were talking about why he
    couldnt do a zone transfer.
    
    If a want to read a standard i just look it up on the web.
    
    Cheers.
    
    -----Mensaje original-----
    De: Ed Schmollinger [mailto:schmolliat_private]
    Enviado el: Monday, June 10, 2002 11:02 AM
    Para: David Schwartz
    CC: mpat_private; Vlad; 'Short_Circut'; vuln-devat_private
    Asunto: Re: DNS zone transfer
    
    
    On Sun, Jun 09, 2002 at 04:18:38PM -0700, David Schwartz wrote:
    > On Sun, 9 Jun 2002 13:28:39 -0300, Maximiliano Perez wrote:
    > >They can restrict it via:
    > >
    > >    - Filtering port 53/tcp, try telneting.
    >
    > 	They can't filter port 53/tcp if the are authoritative for any domains.
    > Support for TCP queries is not optional.
    
    No, they can't filter port 53/tcp if they expect zone transfers or large
    responses to work.  Being authoritative is independent of the query
    mechanism.  RFC compliance requires that TCP support be present, but for
    most setups, it can be safely disabled (via FW rules or whatever) for
    non-secondaries.  The security (conscious|zealots) like to disable TCP
    because it's harder to get an interactive shell on a machine if you can
    only talk to it through UDP.
    
    --
    Ed Schmollinger - schmolliat_private
    



    This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 10:37:47 PDT