Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 May 1999 21:19:45 +0200
From:      sthaug@nethelp.no
To:        billf@chc-chimes.com
Cc:        freebsd-isp@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject:   Re: Command: host -l domain.com
Message-ID:  <36974.927573585@verdi.nethelp.no>
In-Reply-To: Your message of "Mon, 24 May 1999 10:36:12 -0400 (EDT)"
References:  <Pine.HPP.3.96.990524103502.13465C-100000@hp9000.chc-chimes.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> > But when i do host -l mydomain.com
> > it lists everything...
> > Is this something in named i can edit to not list?
> 
> Security through obscurity is a really bad idea. What is so precious about
> your DNS records that you can't share.

Normally I agree. However, I have seen several examples of the following
happening in rapid succession:

- Downloading the zone file for a TLD (in this case .no).
- Using this info to attempt to download the zone files for *all* the
subdomains of the TLD.
- Using info from these zone files to launch attacks (for instance
against the name servers themselves).

As one of the persons responsible for the .no domain, I have concluded
that the only sensible course for me is to allow zone transfers only to
secondaries and to other "well known" sites that I trust not to have
evil intentions. Of course, this will not stop a determined attacker -
but it *will* slow down or stop a lot of the script kiddies. Good enough
for me.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36974.927573585>