Denying AXFR on Freebsd

Markus Heimhilcher markus.heimhilcher at univie.ac.at
Tue May 10 17:16:51 UTC 2005


Olafur,

Thanks for the hint!

I found the problem.
First, I tried compiling nsd from the ports, but it didn't help either.
What bit me was a missing <chroot>/etc/hosts.allow file!

What I did was to remove the nsd options from my nsdc.conf bit by bit.
When omitting the -t <chroot> flag, the AXFRs worked as expected. :-)

Regards,
    Markus

Olafur Osvaldsson wrote:

>Markus,
>
>On Tue, 10 May 2005, Markus Heimhilcher wrote:
>
>  
>
>>I am using nsd 2.3 compiled with --with-libwrap on Freebsd 5.3.
>>I tried all variations of deny statemens in hosts.allow / hosts.deny like:
>>    
>>
>
>Are you using the port from /usr/ports/dns/nsd ?
>
>  
>
>>hosts.allow:
>>ALL : ALL : deny
>>    
>>
>
>This should be enaugh.
>
>axfr : <IP> : allow/deny
>and
>axfr-isnic.is. : <IP> : allow/deny
>
>both work, but don't forget the dot after the domain name.
>
>  
>
>>When testing the tcp wrapper rules with tcpdmatch everything seems ok.
>>The nsd log is also very quiet about AXFRs taking place.
>>The only working option to deny AXFRs is to compile nsd without AXFR 
>>support.
>>Could this be a bug of nsd on this platform?
>>    
>>
>
>I'm using nsd-2.3.0 from ports wich uses libwrap and when trying to axfr from
>outside our network it logs:
>
>May 10 15:07:52 aker nsd[11557]: checking axfr-isnic.is.
>
>if denied, but thats it.
>
>/Oli
>
>  
>




More information about the nsd-users mailing list