[NBLUG/talk] BIND and zallow-transfer

Eric Eisenhart eric at nblug.org
Wed Aug 9 09:21:08 PDT 2006


On Wed, Aug 09, 2006 at 08:58:03AM -0700, Sean wrote:
> The last week I have been setting up a pair of BIND DNS servers, and I
> came accross a security question I was hoping someone here could clear
> up.
> 
> If allow-transfer in named.conf is set to a specific IP address, do I
> still need to block TCP port 53 to all but my secondary that will be
> pulling the updates? I presume that allowing only my secondary will
> prevent other servers from getting my domain files, but I cannot find
> that information.

So, three things here:

1) You should always allow port 53 both UDP and TCP to your DNS servers. 
Transfers are not the only thing that goes over TCP.  If another server (or
client) has a query with a result that won't fit into a UDP packet it will
mark it as such and the client will send the same request via TCP.  Some
clients seem to ask via TCP just for the heck of it, too.  (perhaps they're
consolidating multiple requests into one...  perhaps the unreliability of
UDP lost something and they fall back to TCP...)

2) DNS is publication and there's a very minimal amount of protection from
blocking zone transfers of public information that you've put up for
publication.  Preventing zone transfers is really just a "security through
obscurity" measure that's unlikely to help you at all.  Securing the
networks and/or the devices/systems is vastly more useful than trying to
hide them in public view.

3) It's possible to simulate a zone transfer only over UDP using a technique
called "NXT walking".  It is possible to block this, but there's other
repurcusions and see #2: DNS is publication.

All that said, the DNS servers I deal with all allow both UDP and TCP
connections as do any firewalls between them and the intended clients, but I
still set allow-transfer to just the other systems I expect to hold a copy
of the zone; makes denial of service attacks very slightly harder.

Summary: don't block TCP port 53 to your DNS server.
-- 
Eric Eisenhart
NBLUG Co-Founder
The North Bay Linux Users Group -- http://nblug.org/
eric at nblug.org, IRC: Freiheit at fn AIM: falschfreiheit



More information about the talk mailing list