Denying AXFR

Stephane Bortzmeyer bortzmeyer at
Tue Feb 15 21:21:30 UTC 2005

On Mon, Feb 14, 2005 at 02:36:45PM -0500,
 Wesley Griffin <wgriffin at> wrote 
 a message of 44 lines which said:

> I'm trying to get NSD to deny AXFRs for the zones its serving. 

It is a bit tricky because nsd queries the TCP wrappers with "axfr"
*and* "axfr-TLD". I believe you cannot do it without a general deny
rule. I do it this way (with --with-libwrap as you do):


# Default is to refuse
ALL: ALL : spawn /bin/logger -i -p "%s REFUSED from %a (%h)" : deny


# Local access from AFNIC
axfr:, : spawn /bin/logger -i -p "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Per request from ".si"
axfr-si: X.Y.Z.W/ : spawn /bin/logger -i -p "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Other protocols

More information about the nsd-users mailing list