Denying AXFR

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Feb 15 21:21:30 UTC 2005


On Mon, Feb 14, 2005 at 02:36:45PM -0500,
 Wesley Griffin <wgriffin at sparta.com> wrote 
 a message of 44 lines which said:

> I'm trying to get NSD to deny AXFRs for the zones its serving. 

It is a bit tricky because nsd queries the TCP wrappers with "axfr"
*and* "axfr-TLD". I believe you cannot do it without a general deny
rule. I do it this way (with --with-libwrap as you do):

hosts.deny:

# Default is to refuse
ALL: ALL : spawn /bin/logger -i -p daemon.info "%s REFUSED from %a (%h)" : deny

hosts.allow:

# Local access from AFNIC
axfr: 192.134.4.0/255.255.255.0, 192.134.0.49 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Per request from ".si"
axfr-si: X.Y.Z.W/255.255.255.0 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Other protocols
sshd: 192.134.4.0/255.255.255.0




More information about the nsd-users mailing list