Re: DNS zone transfer

From: Frank Knobbe (fknobbeat_private)
Date: Mon Jun 10 2002 - 19:24:27 PDT

Next message: FBO: "Re: Coding Conservative CGI Perl"

Previous message: Mauricio Freitas: "Belkin GCable/DSL router problem with http requests"
In reply to: Ed Schmollinger: "Re: DNS zone transfer"
Next in thread: Brad Bemis: "RE: DNS zone transfer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2002-06-10 at 09:02, Ed Schmollinger wrote:
> No, they can't filter port 53/tcp if they expect zone transfers or large
> responses to work.  Being authoritative is independent of the query
> mechanism.  RFC compliance requires that TCP support be present, but for
> most setups, it can be safely disabled (via FW rules or whatever) for
> non-secondaries.  The security (conscious|zealots) like to disable TCP
> because it's harder to get an interactive shell on a machine if you can
> only talk to it through UDP.


I don't want to drift further off-topic, but appending -u to netcat
isn't that much harder...

Regards,
Frank

application/pgp-signature attachment: This is a digitally signed message part

Next message: FBO: "Re: Coding Conservative CGI Perl"
Previous message: Mauricio Freitas: "Belkin GCable/DSL router problem with http requests"
In reply to: Ed Schmollinger: "Re: DNS zone transfer"
Next in thread: Brad Bemis: "RE: DNS zone transfer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 10:19:44 PDT