Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Security of opening AXFR requests  (Read 5680 times)

jstarcher

  • Newbie
  • *
  • Posts: 2
Security of opening AXFR requests
« on: September 26, 2012, 06:08:06 AM »

I want to use HE for my slave servers but I am concerned about the security implications of allowing all AXFR requests from my nameservers to HE. For example, if a client adds a domain on my network and then a malicious user decided to create an HE account and add the domain as a slave then the user would have full access to the dns zone.

Is there anyway to make this more secure?
Logged

snarked

  • Hero Member
  • *****
  • Posts: 757
Re: Security of opening AXFR requests
« Reply #1 on: September 26, 2012, 11:20:44 AM »

Please explain:  How could a malicious user add a domain to HE's name servers when you have already defined that domain with HE's servers as a slave (or secondary) zone?
Logged

jstarcher

  • Newbie
  • *
  • Posts: 2
Re: Security of opening AXFR requests
« Reply #2 on: September 26, 2012, 12:50:36 PM »

Let's say I have 100 domains on my Primary name servers but want to use HE as a slave for a handful of them. Once I allow ns1.he.net to receive responses to AXFR requests then any domain which has not been added to HE could be added by a milicious user to pull the DNS zone. My understanding is my only option for securing this hole is to manually add every domain which is on my primary to my HE slave.

I understand that this may be out of the scope of an already amazing, free, DNS service but I just wanted to make sure I'm not missing something and also point out this hole for other users.
« Last Edit: September 26, 2012, 12:52:42 PM by jstarcher »
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 413
Re: Security of opening AXFR requests
« Reply #3 on: September 26, 2012, 11:53:49 PM »

I know with  BIND at least, you can put the allow-transfer statement in a zone stanza, so only the permitted IPs can transfer that zone.  You don't have to do it globally.
Logged

chaz6

  • Newbie
  • *
  • Posts: 12
Re: Security of opening AXFR requests
« Reply #4 on: September 27, 2012, 02:45:24 AM »

The best way to do this is using tsig keys, however very few services support this so your next best option is to permit the ip address of the source of the axfr query.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 757
Re: Security of opening AXFR requests
« Reply #5 on: September 27, 2012, 11:10:30 AM »

Cf. #3 - (BIND) ...And when NOT done globally but on a per-zone basis, the remote server can pull ONLY those zones so permitted.

Unless you're using some defective name server software, I don't understand your question because it is inconsistent with the behavior supported.
Logged