Vulnerability Development mailing list archives

Re: DNS zone transfer

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 10 Jun 2002 21:24:27 -0500

On Mon, 2002-06-10 at 09:02, Ed Schmollinger wrote:

No, they can't filter port 53/tcp if they expect zone transfers or large
responses to work.  Being authoritative is independent of the query
mechanism.  RFC compliance requires that TCP support be present, but for
most setups, it can be safely disabled (via FW rules or whatever) for
non-secondaries.  The security (conscious|zealots) like to disable TCP
because it's harder to get an interactive shell on a machine if you can
only talk to it through UDP.



I don't want to drift further off-topic, but appending -u to netcat
isn't that much harder...

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

DNS zone transfer Vlad (Jun 08)
- Re: DNS zone transfer Short_Circut (Jun 08)
  - RE: DNS zone transfer Vlad (Jun 09)
    - RE: DNS zone transfer Maximiliano Perez (Jun 09)
    - RE: DNS zone transfer David Schwartz (Jun 09)
    - Re: DNS zone transfer Ed Schmollinger (Jun 10)
    - RE: DNS zone transfer Maximiliano Perez (Jun 10)
    - Re: DNS zone transfer Deus, Attonbitus (Jun 10)
    - Re: DNS zone transfer Frank Knobbe (Jun 11)
    - RE: DNS zone transfer Brad Bemis (Jun 09)
    - Re: DNS zone transfer Olaf Kirch (Jun 10)
    - RE: DNS zone transfer Terry Grace (Jun 10)
  - RE: DNS zone transfer Maximiliano Perez (Jun 09)
- Re: DNS zone transfer Ralf Vitasek (Jun 09)
  - Re: DNS zone transfer Edwin Groothuis (Jun 10)
    - Re: DNS zone transfer Jefferson Ogata (Jun 11)
- RE: DNS zone transfer deepblue (Jun 10)
- RE: DNS zone transfer David LaPorte (Jun 16)
- <Possible follow-ups>
- RE: DNS zone transfer David Schwartz (Jun 09)

(Thread continues...)