[dns-operations] axfr to stop spoofing
peter at peter-dambier.de
Wed Mar 22 08:27:29 UTC 2006
AXFR uses tcp. You have to build a connection or nothing will be sent.
Publishing the same data using http and ftp is a good idea.
is a good idea. You downlod the root-zone and never need to
bother the root-servers again. Update at least once a month.
tcp is more stress on your nameserver than udp is.
But on the other hand one legal tcp is less stress than twemty
illegal udp ttackers.
Why was axfr broken in the first place?
Because your servers are clandestine?
Then stop publishing them. DNS is not for you - use /etc/hosts
The only people profitting from clandestine entries in zone-files
are spammers and phishers.
Ok, this solves only part of the puzzle but it could take stress
away from the rest. Nobody needs to fear the sky is falling down
when the root-servers hickup.
AXFRed data could no longer be spoofed. It makes sense to
exchange zone-files with your friends.
Peter and Karin
Peter and Karin Dambier
The Public-Root Consortium
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
More information about the dns-operations