Denying AXFR on Freebsd
Olafur Osvaldsson
oli at isnic.is
Tue May 10 16:03:14 UTC 2005
Markus,
On Tue, 10 May 2005, Markus Heimhilcher wrote:
> I am using nsd 2.3 compiled with --with-libwrap on Freebsd 5.3.
> I tried all variations of deny statemens in hosts.allow / hosts.deny like:
Are you using the port from /usr/ports/dns/nsd ?
> hosts.allow:
> ALL : ALL : deny
This should be enaugh.
axfr : <IP> : allow/deny
and
axfr-isnic.is. : <IP> : allow/deny
both work, but don't forget the dot after the domain name.
> When testing the tcp wrapper rules with tcpdmatch everything seems ok.
> The nsd log is also very quiet about AXFRs taking place.
> The only working option to deny AXFRs is to compile nsd without AXFR
> support.
> Could this be a bug of nsd on this platform?
I'm using nsd-2.3.0 from ports wich uses libwrap and when trying to axfr from
outside our network it logs:
May 10 15:07:52 aker nsd[11557]: checking axfr-isnic.is.
if denied, but thats it.
/Oli
--
Olafur Osvaldsson
Systems Administrator
Internet a Islandi hf.
Tel: +354 525-5291
Email: oli at isnic.is
More information about the nsd-users
mailing list