Re: DNS zone transfer

From: Edwin Groothuis (edwinat_private)
Date: Sun Jun 09 2002 - 18:06:32 PDT

  • Next message: Benjamin Elijah Griffin: "Re: PGP spoof decrypted output?"

    On Sun, Jun 09, 2002 at 05:35:41PM +0200, Ralf Vitasek wrote:
    > Vlad wrote:
    > > Is it possible to remotely retrieve all DNS records from a server
    > > *without* knowing the specific zones it hosts? 
    > > (cause then I can script "dig @dns-server.ip zone-domain ALL" )
    > > 
    > > If it matters the server runs the DNS service on Win2k and I've got no
    > > preferance for Windows or *NIX tools. Any will do.
    > 
    > i doubt that such a thing is possible, i would think of an information 
    > leak otherwise.
    > for the dns`s servers (all bind on linux) i always even prohibit axfr's 
    > for domains to unathorized hosts (i.e. i just allow my secondary 
    > nameservers to do that).
    > 
    > what *good* use anyone could have for such a thing?
    
    Auditing. Not all information gathering is used for bad purposes :-)
    
    For example, I've developed an DNS auditing system to check the
    state of health of our servers, the ones which we (were) delegated
    (delegating) to... Warnings kept popping up for weeks after the
    transfers of domain from a remote server to us or from us to another
    remote server. If you don't check and complain your DNS-network is
    going to be a mess, mail won't be transfered anymore, hosts will
    resolve wrong and all kind of things based on hostname-authorisations
    will go bad.
    
    Edwin
    
    -- 
    Edwin Groothuis      |           Personal website: http://www.MavEtJu.org
    edwinat_private    |        Interested in MUDs? Visit Fatal Dimensions:
    bash$ :(){ :|:&};:   |                    http://www.FatalDimensions.org/
    



    This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 12:05:15 PDT