Vulnerability Development mailing list archives

Re: DNS zone transfer

From: Valdis.Kletnieks () vt edu
Date: Sun, 09 Jun 2002 21:33:31 -0400

On Sun, 09 Jun 2002 16:18:38 PDT, David Schwartz said:

      They can't filter port 53/tcp if the are authoritative for any domains. 
Support for TCP queries is not optional.


You'd be AMAZED at how many sites don't let a small thing like standards
stand in the way of doing something stupid - top of my pet peeve list
most weeks are sites that reject SMTP 'MAIL FROM:<>' and sites that number
their point-to-point links out of RFC1918 space and then wonder why
path MTU Discovery breaks when a site that implements proper martian
filtering tries to talk to them.  There's a nice IETF draft about other
stupidity being seen on the net here:

http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-04.txt

Security implication:  Well, if your site insists on advertising its
rampant cluelessness.... ;)


-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

RE: DNS zone transfer, (continued)
- - - RE: DNS zone transfer Terry Grace (Jun 10)
  - RE: DNS zone transfer Maximiliano Perez (Jun 09)
- Re: DNS zone transfer Ralf Vitasek (Jun 09)
  - Re: DNS zone transfer Edwin Groothuis (Jun 10)
    - Re: DNS zone transfer Jefferson Ogata (Jun 11)
- RE: DNS zone transfer deepblue (Jun 10)
- RE: DNS zone transfer David LaPorte (Jun 16)
- RE: DNS zone transfer David Schwartz (Jun 09)
- Re: DNS zone transfer Blue Boar (Jun 10)
- Re: DNS zone transfer Eric Monti (Jun 10)
- Re: DNS zone transfer Valdis . Kletnieks (Jun 10)