RE: DNS zone transfer

[Maximiliano Perez <mp () overflow com ar>]

We were not talking about standards or rfcs. We were talking about why he
couldnt do a zone transfer.

If a want to read a standard i just look it up on the web.

Cheers.

-----Mensaje original-----
De: Ed Schmollinger [mailto:schmolli () frozencrow org]
Enviado el: Monday, June 10, 2002 11:02 AM
Para: David Schwartz
CC: mp () overflow com ar; Vlad; 'Short_Circut'; vuln-dev () securityfocus com
Asunto: Re: DNS zone transfer


On Sun, Jun 09, 2002 at 04:18:38PM -0700, David Schwartz wrote:
> On Sun, 9 Jun 2002 13:28:39 -0300, Maximiliano Perez wrote:
> > They can restrict it via:
> >
> >    - Filtering port 53/tcp, try telneting.
>
>       They can't filter port 53/tcp if the are authoritative for any domains.
> Support for TCP queries is not optional.

No, they can't filter port 53/tcp if they expect zone transfers or large
responses to work.  Being authoritative is independent of the query
mechanism.  RFC compliance requires that TCP support be present, but for
most setups, it can be safely disabled (via FW rules or whatever) for
non-secondaries.  The security (conscious|zealots) like to disable TCP
because it's harder to get an interactive shell on a machine if you can
only talk to it through UDP.

--
Ed Schmollinger - schmolli () frozencrow org