<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 7/19/12 11:06 AM, Olaf Kolkman
wrote:<br>
</div>
<blockquote
cite="mid:96B972C6-F766-4B0D-A7F1-97FF89941766@NLnetLabs.nl"
type="cite"><br>
<div>
<div>On Jul 18, 2012, at 10:16 PM, Valentin Bud wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<div bgcolor="#FFFFFF" text="#000000"> Hello,<br>
<br>
My question is not related to NSD in particular, but I have
seen here on the list a lot of people that work for TLDs and
other Registrars and Registry operators I thought it would
be a good place to ask this question. It is about DNS
though, not completely off topic :).<br>
<br>
I have encountered in my DNS studies a few name servers that
let you transfer zones they are authoritative for. The name
servers I am talking about are not under my control. I have
noticed that in the majority of cases ns2.*, or whatever
name the second NS has, lets you perform the zone transfer.
This led me to the conclusion that the sys admins don't pay
enough attention or don't really know or understand DNS
technology. It is not my intention to offend any sys admin.
I am just saying. Or maybe the people that set up those
servers are not sys admins. Who knows.<br>
<br>
Do you consider the above as being a security vulnerability?<br>
</div>
</blockquote>
<div><br>
</div>
<div>There are different schools.</div>
<div><br>
</div>
<div>One school shares your thoughts:</div>
<div><br>
</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"> My thoughts on this.
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
This isn’t necessarily bad if the only information provided
is related to systems that are connected to the Internet and
have valid hostnames, although it makes it that much easier
for attackers to find potential targets. Almost all the time
people use suggestive names like splunk, nagios, cpanel,
switch-c2950, etc. That would give an attacker a good start.
But on the other hand it can find those by himself by
querying the name server for those names.<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>The other schools says that information in the DNS is
essentially public and while preventing *XFR will provide a
bit of obscurity we all know that security through obscurity
doesn't provide real security. (I am paraphrasing the school
of thought).</div>
</div>
</blockquote>
I totally agree with you about security through obscurity. I tend to
avoid it in anyway I can. And yes DNS information is essentially
public. <br>
<blockquote
cite="mid:96B972C6-F766-4B0D-A7F1-97FF89941766@NLnetLabs.nl"
type="cite">
<div>
<div><br>
</div>
<br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"> In some cases, as I
have seen, there are entries that have private addresses. I
consider this as being quite bad because it reveals the
private address space of the company's/institution's IT
infrastructure. <br>
</div>
</blockquote>
<div><br>
</div>
<div>The second school of thought would probably say that if you
put the data in the DNS you do not mind disclosing the
information. If you want this sort of information to be hidden
you set up 'internal-only' infrastructure (with BIND you can
use one server with two views, with other implementations you
set up your nameserver infrastructure independently).</div>
<div><br>
</div>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"> <br>
What about open resolvers? I am not talking here about
OpenDNS or Google, who monitor their infrastructure and
maybe they even rate limit the queries per source IP address
if too many come from one particular source. I am talking
about servers that are not being monitored. I say this
because if you monitor your servers and if you understand
the DNS technology you can see that someone has AXFR-ed your
zone or queried <a moz-do-not-send="true"
href="http://whatever.domain.com">whatever.domain.com</a>
recursively using your name server and put an end to it. <br>
</div>
</blockquote>
</div>
<div apple-content-edited="true"><br>
</div>
<div apple-content-edited="true">In the context of this
conversation I believe that if an open, and public facing,
resolver has access to internal information (an internal view)
such would probably be a mistake. But if the open resolver is
configured to only see external facing data then I don't see any
reason for the type of monitoring you describe above.</div>
<div apple-content-edited="true"><br>
</div>
<div apple-content-edited="true">The type of monitoring that
should always be taken place on open recursive nameservers is
monitoring for being used as DOS amplification vector. <br>
</div>
</blockquote>
<br>
What do you mean by this? What kind of parameters should be
monitored? Queries per second from a given IP address is my first
guess. <br>
<br>
Thank you for taking your time to respond. Cheers and Goodwill,<br>
Valentin Bud<br>
<br>
</body>
</html>