[nsd-users] Unsecured zone transfers and open resolvers
valentin at databus.ro
Fri Jul 20 07:27:59 UTC 2012
On 7/19/12 10:46 AM, Jan-Piet Mens wrote:
>> I have encountered in my DNS studies a few name servers that let you
>> transfer zones they are authoritative for.
> A number of TLD operators offer AXFR for their zones on purpose (e.g.
> dig @xfr.lax.dns.icann.org . axfr
I am aware of that. But that's just one, you said that there are a
number of TLDs. Which are the other ones? I am curios. Why don't TLDs
like .com or .net or .de offer AXFR for their zones. I guess that .
offers it for improvement of the infrastructure as a whole. As FreeBSD's
"Slaving the following zones (., arpa) from the root name
servers has some
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS"
And to answer my question about AXFR from .com TLD. I guess they don't
do it because that would burden their servers and a lot of AXFRs would
lead to DoS.
>> This led me to the conclusion that
>> the sys admins don't pay enough attention or don't really know or
>> understand DNS technology.
> They do. Really. :)
I don't a strong argument against this so I agree with you for now. As I
have said I don't mean to offend anyone. Although I have a real scenario
in mind. A guy that works for a local University dealing with PR and
other stuff is in charge of the DNS server for a specific department.
The guy is smart but for sure it doesn't *really* understand DNS
technology. And that's not offense, he knows that too. In my name space
this kind of scenarios are easy to find.
Thank you very much for your thoughts JP.
Cheers and Goodwill,
More information about the nsd-users