<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Jul 18, 2012, at 10:16 PM, Valentin Bud wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<div bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
My question is not related to NSD in particular, but I have seen
here on the list a lot of people that work for TLDs and other
Registrars and Registry operators I thought it would be a good place
to ask this question. It is about DNS though, not completely off
topic :).<br>
<br>
I have encountered in my DNS studies a few name servers that let you
transfer zones they are authoritative for. The name servers I am
talking about are not under my control. I have noticed that in the
majority of cases ns2.*, or whatever name the second NS has, lets
you perform the zone transfer. This led me to the conclusion that
the sys admins don't pay enough attention or don't really know or
understand DNS technology. It is not my intention to offend any sys
admin. I am just saying. Or maybe the people that set up those
servers are not sys admins. Who knows.<br>
<br>
Do you consider the above as being a security vulnerability?<br></div></blockquote><div><br></div><div>There are different schools.</div><div><br></div><div>One school shares your thoughts:</div><div><br></div><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">
My thoughts on this.
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
This isn’t necessarily bad if the only information provided is
related to systems that are connected to the Internet and have valid
hostnames, although it makes it that much easier for attackers to
find potential targets. Almost all the time people use suggestive
names like splunk, nagios, cpanel, switch-c2950, etc. That would
give an attacker a good start. But on the other hand it can find
those by himself by querying the name server for those names.<br>
<br></div></blockquote><div><br></div><div>The other schools says that information in the DNS is essentially public and while preventing *XFR will provide a bit of obscurity we all know that security through obscurity doesn't provide real security. (I am paraphrasing the school of thought).</div><div><br></div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">
In some cases, as I have seen, there are entries that have private
addresses. I consider this as being quite bad because it reveals the
private address space of the company's/institution's IT
infrastructure. <br></div></blockquote><div><br></div><div>The second school of thought would probably say that if you put the data in the DNS you do not mind disclosing the information. If you want this sort of information to be hidden you set up 'internal-only' infrastructure (with BIND you can use one server with two views, with other implementations you set up your nameserver infrastructure independently).</div><div><br></div><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">
<br>
What about open resolvers? I am not talking here about OpenDNS or
Google, who monitor their infrastructure and maybe they even rate
limit the queries per source IP address if too many come from one
particular source. I am talking about servers that are not being
monitored. I say this because if you monitor your servers and if you
understand the DNS technology you can see that someone has AXFR-ed
your zone or queried <a href="http://whatever.domain.com">whatever.domain.com</a> recursively using your name
server and put an end to it. <br></div></blockquote></div><div apple-content-edited="true"><br></div><div apple-content-edited="true">In the context of this conversation I believe that if an open, and public facing, resolver has access to internal information (an internal view) such would probably be a mistake. But if the open resolver is configured to only see external facing data then I don't see any reason for the type of monitoring you describe above.</div><div apple-content-edited="true"><br></div><div apple-content-edited="true">The type of monitoring that should always be taken place on open recursive nameservers is monitoring for being used as DOS amplification vector. </div><div apple-content-edited="true"><br></div><div apple-content-edited="true">--Olaf</div><div apple-content-edited="true"><br></div><div apple-content-edited="true"><br></div><div apple-content-edited="true"><br></div><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br class="Apple-interchange-newline"><table cellspacing="0" cellpadding="0" style="font-family: Helvetica; font-size: 12px; background-color: rgb(255, 255, 255); border-collapse: collapse; "><tbody><tr><td rowspan="2" valign="top" style="width: 97.8px; height: 56.3px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-top-color: rgb(180, 180, 180); border-right-color: transparent; border-bottom-color: transparent; border-left-color: transparent; padding-top: 5px; padding-right: 5px; padding-bottom: 5px; padding-left: 5px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; text-align: right; font: normal normal normal 19px/normal 'Gill Sans'; "><font class="Apple-style-span" color="#777777"><span style="letter-spacing: 0px; "><b>NLnet<br></b></span><span style="font: normal normal normal 24px/normal 'Gill Sans'; letter-spacing: 0px; ">Labs</span></font></div></td><td valign="top" style="width: 114.5px; height: 18.1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width: 1px; border-left-width: 0px; border-top-color: rgb(180, 180, 180); border-right-color: transparent; border-bottom-color: rgb(202, 202, 202); border-left-color: transparent; padding-top: 5px; padding-right: 5px; padding-bottom: 5px; padding-left: 5px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal Helvetica; "><span style="letter-spacing: 0px; "><font class="Apple-style-span" color="#777777">Olaf M. Kolkman</font></span></div></td><td valign="top" style="width: 2.3px; height: 18.1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width: 1px; border-left-width: 0px; border-top-color: rgb(180, 180, 180); border-right-color: transparent; border-bottom-color: rgb(202, 202, 202); border-left-color: transparent; padding-top: 5px; padding-right: 5px; padding-bottom: 5px; padding-left: 5px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal Helvetica; min-height: 14px; "><font class="Apple-style-span" color="#777777"><br></font></div></td></tr><tr><td valign="top" style="width: 114.5px; height: 27.2px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-top-color: rgb(202, 202, 202); border-right-color: transparent; border-bottom-color: transparent; border-left-color: transparent; padding-top: 5px; padding-right: 5px; padding-bottom: 5px; padding-left: 5px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 9px/normal Helvetica; "><span style="text-decoration: underline; letter-spacing: 0px; "><a href="http://www.NLnetLabs.nl"><font class="Apple-style-span" color="#777777">www.NLnetLabs.nl</font></a></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 9px/normal Helvetica; "><span style="text-decoration: underline; letter-spacing: 0px; "><a href="mailto:olaf@NLnetLabs.nl"><font class="Apple-style-span" color="#777777">olaf@NLnetLabs.nl</font></a></span></div></td><td valign="top" style="width: 2.3px; height: 27.2px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-width: 1px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-top-color: rgb(202, 202, 202); border-right-color: transparent; border-bottom-color: transparent; border-left-color: transparent; padding-top: 5px; padding-right: 5px; padding-bottom: 5px; padding-left: 5px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal Helvetica; min-height: 14px; "><font class="Apple-style-span" color="#777777"><br></font></div></td></tr><tr><td colspan="3" valign="top" style="width: 234.6px; height: 13.2px; padding-top: 5px; padding-right: 5px; padding-bottom: 5px; padding-left: 5px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 9px/normal Helvetica; "><span style="letter-spacing: 0px; "><font class="Apple-style-span" color="#777777">Science Park 400, 1098 XH Amsterdam, The Netherlands</font></span></div></td></tr></tbody></table><div style="font-family: Helvetica; font-size: 12px; color: rgb(158, 158, 158); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal Helvetica; min-height: 14px; "><br></div></span><br class="Apple-interchange-newline">
</div>
<br></body></html>