mailing list archives
Re: Full zone information disclosure on top level domain name servers
From: Jim Reid <jim () rfc1035 com>
Date: Sun, 20 Oct 2002 13:25:15 +0100
"Mans" == =?ISO-8859-1?Q?M=E5ns Nilsson?= <ISO-8859-1> writes:
>> Many of top level domain (TLD) DNS servers do not implement any
>> restrictions on AXFR query.
Mans> And this is not a problem from an information disclosure
Mans> point of view. If you believe you have a security problem
Mans> when AXFR is possible for a given zone, you obviously have a
Mans> very serious security problem in the rest of your systems
Mans> since you so desperately need to hide them.
Indeed. And you have an even bigger security problem if you think that
preventing zone transfers will deny access to data that's entered into
the public DNS. This approach isn't even a credible attempt at
security by obscurity, which we should all realise is no security at
all. It's fuzzy and misplaced feeling of security though half-hearted
and ineffective obscurity.
BTW, many TLD registries restrict zone transfers for reasons other
than the operational ones Mans mentioned. For example, it reduces
cybersquatting by stupid/evil people who would like to have a copy of
the TLD zone file to see what domain names they can register. EU data
protection legislation is another.