Denying AXFR
Wesley Griffin
wgriffin at sparta.com
Mon Feb 14 19:36:45 UTC 2005
I'm trying to get NSD to deny AXFRs for the zones its serving. I'm compiling
--with-libwrap (although I think that's unnecessary as it looks like the
default is to go ahead and link with libwrap). This is with 2.2.0.
Anyway, I've tried a number of different combinations in /etc/hosts.allow
(and /etc/hosts.deny, although from reading hosts_options(5) on freebsd it
looks like hosts.deny has been deprecated) and I cannot get NSD to refuse
AXFRs.
Here is what I've tried:
/etc/hosts.allow:
axfr : ALL : deny
/etc/hosts.allow:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny
/etc/hosts.allow:
axfr : 127.0.0.1 : deny
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny
None of which cause NSD to refuse AXFR from my localhost.
% dig @localhost netsec.tislabs.com. Axfr
I've also tried using /etc/hosts.deny per a 2003 message on this list:
/etc/hosts.deny:
axfr : ALL : deny
/etc/hosts.deny:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny
But nothing works. Anybody have a working example of denying all AXFRs?
--
Wesley Griffin <wgriffin at sparta.com>
More information about the nsd-users
mailing list