From owner-freebsd-questions  Fri Jun 30  8:17:29 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from ptavv.es.net (ptavv.es.net [198.128.4.29])
	by hub.freebsd.org (Postfix) with ESMTP id B7D4537C255
	for <freebsd-questions@FreeBSD.ORG>; Fri, 30 Jun 2000 08:17:25 -0700 (PDT)
	(envelope-from oberman@ptavv.es.net)
Received: from ptavv.es.net (localhost [127.0.0.1])
	by ptavv.es.net (8.10.1/8.10.1) with ESMTP id e5UFHNn18721;
	Fri, 30 Jun 2000 08:17:23 -0700 (PDT)
Message-Id: <200006301517.e5UFHNn18721@ptavv.es.net>
To: cjclark@alum.mit.edu
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: [Totally Off Topic] Zone Xfers from ISP 
In-reply-to: Your message of "Thu, 29 Jun 2000 23:22:48 PDT."
             <20000629232248.E653@dialin-client.earthlink.net> 
Date: Fri, 30 Jun 2000 08:17:23 -0700
From: "Kevin Oberman" <oberman@es.net>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I have long felt that limiting zone transfers was security through
obscurity and mostly a waste of time. On the other hand, our DNS
server are a service to our customers, so we block transfers on
request but default to open access.

Remember, there is nothing in a zone transfer that is not available by
"normal" RRs and walking the reverse tree will provide a pretty good
list of node names with minimal effort.

R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message