Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
When you provide DNS, you are giving out a lot of information. It can give a
hacker a great deal of information. Just by using a simple tool like nslookup,
you can accomplish a zone transfer. To restrict your zone transfers to specified IP
addresses, use the boot file directive xfrnets.
For BIND 4
The following is an extract from man named:
The ``xfrnets'' directive (not shown) can be used to
implement primitive access control. If this directive is
given, then your name server will only answer zone trans-
fer requests from hosts which are on networks listed in
your ``xfrnets'' directives. This directive may also be
given as ``tcplist'' for compatibility with older, interim
servers.
Here's what I added to my /etc/named.boot file (well, I used a different IP
address):
xfrnets 11.22.33.44&255.255.255.255
This states that zone transfers can be accepted from 11.22.33.44.
Points to note:
You can include more than one IP adddress per line, separated by white space.
You can have more than one xfrnets directive per file.
Don't put any white space between the IP address and the mask
Or you can restrict certain zones to certain addresses:
zone "yourdomain.com" {
type master;
file "db.yourdomain";
allow-transfer {11.22.33.44; };
}
In both cases, multiple IP addresses can be added each ending with a semi-colon (';').
An adress range can be specified using the "192.168/16" type of format.
The "/16" is a netmask and would allow any zone transfers from the
192.168.0.0 network.
