• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Security of opening AXFR requests

Started by jstarcher, September 26, 2012, 06:08:06 AM

Previous topic - Next topic

jstarcher

I want to use HE for my slave servers but I am concerned about the security implications of allowing all AXFR requests from my nameservers to HE. For example, if a client adds a domain on my network and then a malicious user decided to create an HE account and add the domain as a slave then the user would have full access to the dns zone.

Is there anyway to make this more secure?

snarked

Please explain:  How could a malicious user add a domain to HE's name servers when you have already defined that domain with HE's servers as a slave (or secondary) zone?

jstarcher

#2
Let's say I have 100 domains on my Primary name servers but want to use HE as a slave for a handful of them. Once I allow ns1.he.net to receive responses to AXFR requests then any domain which has not been added to HE could be added by a milicious user to pull the DNS zone. My understanding is my only option for securing this hole is to manually add every domain which is on my primary to my HE slave.

I understand that this may be out of the scope of an already amazing, free, DNS service but I just wanted to make sure I'm not missing something and also point out this hole for other users.

kcochran

I know with  BIND at least, you can put the allow-transfer statement in a zone stanza, so only the permitted IPs can transfer that zone.  You don't have to do it globally.

chaz6

The best way to do this is using tsig keys, however very few services support this so your next best option is to permit the ip address of the source of the axfr query.

snarked

Cf. #3 - (BIND) ...And when NOT done globally but on a per-zone basis, the remote server can pull ONLY those zones so permitted.

Unless you're using some defective name server software, I don't understand your question because it is inconsistent with the behavior supported.