Denying AXFR
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Feb 15 21:21:30 UTC 2005
On Mon, Feb 14, 2005 at 02:36:45PM -0500,
Wesley Griffin <wgriffin at sparta.com> wrote
a message of 44 lines which said:
> I'm trying to get NSD to deny AXFRs for the zones its serving.
It is a bit tricky because nsd queries the TCP wrappers with "axfr"
*and* "axfr-TLD". I believe you cannot do it without a general deny
rule. I do it this way (with --with-libwrap as you do):
hosts.deny:
# Default is to refuse
ALL: ALL : spawn /bin/logger -i -p daemon.info "%s REFUSED from %a (%h)" : deny
hosts.allow:
# Local access from AFNIC
axfr: 192.134.4.0/255.255.255.0, 192.134.0.49 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Per request from ".si"
axfr-si: X.Y.Z.W/255.255.255.0 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Other protocols
sshd: 192.134.4.0/255.255.255.0
More information about the nsd-users
mailing list