We were not talking about standards or rfcs. We were talking about why he couldnt do a zone transfer. If a want to read a standard i just look it up on the web. Cheers. -----Mensaje original----- De: Ed Schmollinger [mailto:schmolliat_private] Enviado el: Monday, June 10, 2002 11:02 AM Para: David Schwartz CC: mpat_private; Vlad; 'Short_Circut'; vuln-devat_private Asunto: Re: DNS zone transfer On Sun, Jun 09, 2002 at 04:18:38PM -0700, David Schwartz wrote: > On Sun, 9 Jun 2002 13:28:39 -0300, Maximiliano Perez wrote: > >They can restrict it via: > > > > - Filtering port 53/tcp, try telneting. > > They can't filter port 53/tcp if the are authoritative for any domains. > Support for TCP queries is not optional. No, they can't filter port 53/tcp if they expect zone transfers or large responses to work. Being authoritative is independent of the query mechanism. RFC compliance requires that TCP support be present, but for most setups, it can be safely disabled (via FW rules or whatever) for non-secondaries. The security (conscious|zealots) like to disable TCP because it's harder to get an interactive shell on a machine if you can only talk to it through UDP. -- Ed Schmollinger - schmolliat_private
This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 10:37:47 PDT