Denying AXFR on Freebsd

Olafur Osvaldsson oli at isnic.is
Tue May 10 16:03:14 UTC 2005


Markus,

On Tue, 10 May 2005, Markus Heimhilcher wrote:

> I am using nsd 2.3 compiled with --with-libwrap on Freebsd 5.3.
> I tried all variations of deny statemens in hosts.allow / hosts.deny like:

Are you using the port from /usr/ports/dns/nsd ?

> hosts.allow:
> ALL : ALL : deny

This should be enaugh.

axfr : <IP> : allow/deny
and
axfr-isnic.is. : <IP> : allow/deny

both work, but don't forget the dot after the domain name.

> When testing the tcp wrapper rules with tcpdmatch everything seems ok.
> The nsd log is also very quiet about AXFRs taking place.
> The only working option to deny AXFRs is to compile nsd without AXFR 
> support.
> Could this be a bug of nsd on this platform?

I'm using nsd-2.3.0 from ports wich uses libwrap and when trying to axfr from
outside our network it logs:

May 10 15:07:52 aker nsd[11557]: checking axfr-isnic.is.

if denied, but thats it.

/Oli

-- 
Olafur Osvaldsson
Systems Administrator
Internet a Islandi hf.
Tel:   +354 525-5291
Email: oli at isnic.is



More information about the nsd-users mailing list