From owner-freebsd-questions Mon May 24 12:19:59 1999 Delivered-To: freebsd-questions@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 0AE5F15200 for ; Mon, 24 May 1999 12:19:50 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 36976 invoked by uid 1001); 24 May 1999 19:19:45 +0000 (GMT) To: billf@chc-chimes.com Cc: freebsd-isp@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Command: host -l domain.com From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 24 May 1999 10:36:12 -0400 (EDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 24 May 1999 21:19:45 +0200 Message-ID: <36974.927573585@verdi.nethelp.no> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > But when i do host -l mydomain.com > > it lists everything... > > Is this something in named i can edit to not list? > > Security through obscurity is a really bad idea. What is so precious about > your DNS records that you can't share. Normally I agree. However, I have seen several examples of the following happening in rapid succession: - Downloading the zone file for a TLD (in this case .no). - Using this info to attempt to download the zone files for *all* the subdomains of the TLD. - Using info from these zone files to launch attacks (for instance against the name servers themselves). As one of the persons responsible for the .no domain, I have concluded that the only sensible course for me is to allow zone transfers only to secondaries and to other "well known" sites that I trust not to have evil intentions. Of course, this will not stop a determined attacker - but it *will* slow down or stop a lot of the script kiddies. Good enough for me. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message