Thanks for those who responded to my second question namely:
Richard L Jackson Jr <rjackson_at_portal.gmu.edu>
Dan Riley <dsr_at_lns598.lns.cornell.edu>
Paul E. Rockwell <rockwell_at_rch.dec.com>
>Is there a way available for a particular DNS host to refuse to give the
>database it has for all hosts under its domain? (using nslookup or some
>other way..)
>
>Instead it will show something like this one:
>*** Can't list domain domain.name: Query refused
Richard Jackson comments:
------------------------
Fetch rfc1597.txt from nic.ddn.mil. I think it talks about a way to
hide the internal DNS info.
---------------------------------------------------------------------------
Dan Riley comments:
------------------
If you are running Digital Unix 3.2 or later, try the xfrnets directive
in named.boot:
The xfrnets directive (not shown) can be used to implement primitive access
control. If this directive is given, your name server only answers zone
transfer requests from hosts that are on networks listed in your xfrnets
directives. This directive may also be given as tcplist for compatibility
with older, interim servers. For example:
xfrnets 16.0.0.0
Unfortuntely, xfrnets is not documented in the 3.2 man pages -- this
should be fixed in the next release.
----------------------------------------------------------------------------
Paul E. Rockwell comments:
-------------------------
Might not be so easy to do.
If a host has access to a DNS server for query resolution, nothing you
can do will prevent a user from getting a list of all hosts on the domain.
Why, you ask?
Well, it's always possible to get the hostname through the in-addr.arpa
domain. All you need to do is to sequence through the IP addresses in the
subnet. For a hypothetical subnet 126.0.0 (subnet of a class A network), you
can do the following.
$ nslookup
> set type=ptr
> 1.0.0.126.in-addr.arpa
> 2.0.0.126.in-addr.arpa
...
> 254.0.0.126.in-addr.arpa
Disabling the in-addr.arpa domain is possible, but there are things
that need it.
Ok, it's a bit time consuming. But you can get the information.
Also, remember that a hacker doesn't need a name to get into a system.
IP addresses work just fine, too. Your best defense is to concentrate on
securing systems and networks, not hiding names.
Received on Sat Jul 22 1995 - 18:14:00 NZST