{"id":1708,"date":"2011-08-31T12:17:15","date_gmt":"2011-08-31T11:17:15","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1708"},"modified":"2012-08-30T13:00:29","modified_gmt":"2012-08-30T12:00:29","slug":"preventing-dns-zone-transfers-using-acls-in-named-conf","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1708","title":{"rendered":"Preventing DNS Zone Transfers using ACLs in named.conf"},"content":{"rendered":"<p>DNS servers can be attacked using various techniques including:<\/p>\n<ul>\n<li>DNS spoofing<\/li>\n<li>Cache poisoning<\/li>\n<li>Registration hijacking<\/li>\n<\/ul>\n<p>One of the simplest ways to defend is to strictly limit zone transfers between nameservers by defining an ACL. Many system administrators allows BIND to transfer zones in bulk outside of their network or organisation. This is an attack vector.\u00a0 You can prevent this by using ACLs:<!--more--><\/p>\n<p>Define an ACL in \/etc\/named.conf file. For example: IP 192.168.3.15 and 212.34.18.156 are allowed to transfer your zones.<\/p>\n<p><code># vi named.conf<\/code><br \/>\n(sample entry for domain darenmatthews.com (ns1) configuration):<\/p>\n<p><code>acl trusted-servers\u00a0 {<br \/>\n192.168.3.15;\u00a0 \/\/ns2<br \/>\n212.34.18.156;\u00a0\u00a0 \/\/ns3<br \/>\n};<br \/>\nzone darenmatthews.com\u00a0 {<br \/>\ntype master;<br \/>\nfile \"zones\/darenmatthews.com\";<br \/>\nallow-transfer { trusted-servers; };<br \/>\n};<br \/>\n<\/code><br \/>\nNote that you must do this for each zone&#8217;s configuration block i.e. put line allow-transfer { trusted-servers; }; for each zone \/ domain name.<\/p>\n<p>Restart named:<br \/>\n<code># \/etc\/init.d\/named restart<\/code><\/p>\n<p><strong>Testing:<\/strong><\/p>\n<p>Use any Linux DNS tool command such as nslookup, host or dig. For example, following example uses host command to request zone transfer:<\/p>\n<p><code>$ host -T axfr darenmatthews.com<\/code><\/p>\n<p>response:<br \/>\n<code>;; Connection to 74.10.15.34#53(74.10.15.34) for axfr failed: connection refused.<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DNS servers can be attacked using various techniques including: DNS spoofing Cache poisoning Registration hijacking One of the simplest ways to defend is to strictly limit zone transfers between nameservers by defining an ACL. Many system administrators allows BIND to transfer zones in bulk outside of their network or organisation. This is an attack vector.\u00a0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[87,84],"tags":[],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1708"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1708"}],"version-history":[{"count":2,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1708\/revisions"}],"predecessor-version":[{"id":1720,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1708\/revisions\/1720"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1708"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}