[dns-operations] Stunning security discovery: AXFR may leak information

Mark Andrews marka at isc.org
Tue Apr 14 19:57:01 UTC 2015

In message <D152DE14.ADD3%edward.lewis at icann.org>, Edward Lewis writes:
> On 4/14/15, 14:47, "Marjorie" <marjorie at id3.net> wrote:
> >The bottom line is that unrestricted AXFR is generally evil,
> I'd go with "generally unwise".  There are folks that believe it is fine
> to allow access to their zones and I have no reason to say they are
> foolish.  Folks who are not concerned with the minutia of operating their
> DNS server most likely would not want to allow the access and the tools
> they use should meet their likely expectations.

For in-addr.arpa and ip6.arpa zones it is pointless to prevent zone
transfers if you can query the zones.  There is too much structure
to the zones to prevent them being walked.

If you have in-addr.arpa and ip6.arpa zones it is mostly pointless
to block access to the corresponding forward zones as the in-addr.arpa
and ip6.arpa zones give away all the names.

With split horizion, you can usually guess the contents of the
public zones anyway.

Blocking axfr doesn't prevent tcp sockets being used.

Basically all blocking axfr does is give you a false sense of
security for typical zones.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list