The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.

Things look quiet here. But I've been doing a lot of blogging at because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

DNS - restricting zone transfers 31 December 1998
Need more help on this topic? Click here
This article has no comments
Show me similar articles
When you provide DNS, you are giving out a lot of information.  It can give a hacker a great deal of information.  Just by using a simple tool like nslookup, you can accomplish a zone transfer.  To restrict your zone transfers to specified IP addresses, use the boot file directive xfrnets.
For BIND 4
The following is an extract from man named:
The ``xfrnets'' directive  (not  shown)  can  be  used  to
implement  primitive access control.  If this directive is
given, then your name server will only answer zone  trans-
fer  requests  from  hosts which are on networks listed in
your ``xfrnets'' directives.  This directive may  also  be
given as ``tcplist'' for compatibility with older, interim

Here's what I added to my /etc/named.boot file (well, I used a different IP address):


This states that zone transfers can be accepted from

Points to note:

  • You can include more than one IP adddress per line, separated by white space.
  • You can have more than one xfrnets directive per file.
  • Don't put any white space between the IP address and the mask
Under BIND 8, you should use something like this:
options {
	allow-transfer {;;};

Or you can restrict certain zones to certain addresses:

zone "" {
	type master;
	file "db.yourdomain";
	allow-transfer {; };

In both cases, multiple IP addresses can be added each ending with a semi-colon (';').   An adress range can be specified using the "192.168/16" type of format.   The "/16" is a netmask and would allow any zone transfers from the network.

Need more help on this topic? Click here
This article has no comments
Show me similar articles