Re: DNS zone transfer

[Edwin Groothuis <edwin () mavetju org>]

On Sun, Jun 09, 2002 at 05:35:41PM +0200, Ralf Vitasek wrote:
> Vlad wrote:
> > Is it possible to remotely retrieve all DNS records from a server
> > *without* knowing the specific zones it hosts? 
> > (cause then I can script "dig @dns-server.ip zone-domain ALL" )
> >
> > If it matters the server runs the DNS service on Win2k and I've got no
> > preferance for Windows or *NIX tools. Any will do.
>
> i doubt that such a thing is possible, i would think of an information 
> leak otherwise.
> for the dns`s servers (all bind on linux) i always even prohibit axfr's 
> for domains to unathorized hosts (i.e. i just allow my secondary 
> nameservers to do that).
>
> what *good* use anyone could have for such a thing?

Auditing. Not all information gathering is used for bad purposes :-)

For example, I've developed an DNS auditing system to check the
state of health of our servers, the ones which we (were) delegated
(delegating) to... Warnings kept popping up for weeks after the
transfers of domain from a remote server to us or from us to another
remote server. If you don't check and complain your DNS-network is
going to be a mess, mail won't be transfered anymore, hosts will
resolve wrong and all kind of things based on hostname-authorisations
will go bad.

Edwin

-- 
Edwin Groothuis      |           Personal website: http://www.MavEtJu.org
edwin () mavetju org    |        Interested in MUDs? Visit Fatal Dimensions:
bash$ :(){ :|:&};:   |                    http://www.FatalDimensions.org/