From owner-freebsd-security Sun Jul 12 08:27:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA04857 for freebsd-security-outgoing; Sun, 12 Jul 1998 08:27:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA04850 for ; Sun, 12 Jul 1998 08:27:49 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 7455 invoked by uid 1001); 12 Jul 1998 15:27:45 +0000 (GMT) To: maillist@oaks.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: DNS zone xfers from random(?) sites In-Reply-To: Your message of "Fri, 10 Jul 1998 21:59:07 +1000" References: <199807101158.VAA15030@mail.aussie.org> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 12 Jul 1998 17:27:45 +0200 Message-ID: <7453.900257265@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Basically, what seems to be random sites around the world (e.g. Israel, > Singapore, France) are downloading the zone file, even where they are not > secondaries to this domain. I am not seeing this pattern on other domains > (one or two of them perhaps, but not so many in such a short time). I do > not recognise the sites that are requesting the transfers. > > While I could of course block them from doing this I am curious as to > whether or not anyone can offer up any suggestion as to _why_ this may be > happening, and if there is any legitimate explanation for it. The domain > in question is for a local (Melbourne, Australia) FM radio station (which > is not even broadcasting at the moment) and I can hardly see it having any > interest to people in, say, France or Singapore. We've seen attacks that were directly correlated to zones files being transferred. Fetch one zone file with a lot of delegations (12000 or so), and then (a few minutes later) target all the name servers in this zone file with pop3/imap/portmap/whatever attacks. Additionally, attempt to fetch the zone files for all the delegated zones also, presumably to use for another attack. (That's when we turned off zone transfers. Now only select hosts are allowed to perform zone transfers from our name servers.) I don't like turning off zone transfers - they are valuable when you're trying to diagnose network related problems. But with the amount of attacks we saw that were directly correlated with zone transfers, we didn't have much choice... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message