[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed May 12 11:13:24 2004 -->
- <!--x-from-r13: zuj ng jvggfraq.pbz ([vpunry V. Inesvryq) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] OT: DNS query (dig) question -->
- <li><em>date</em>: Wed May 12 11:13:24 2004</li>
- <li><em>from</em>: mhw at wittsend.com (Michael H. Warfield)</li>
- <li><em>in-reply-to</em>: <[email protected]></li>
- <li><em>references</em>: <[email protected]></li>
- <li><em>subject</em>: [ale] OT: DNS query (dig) question</li>
> dig @authoritative-server somedomain.com axfr > somedomainhosts.txt
Or "host -l somedomain.com authoritative-server"
Or -a instead of -l. Or "-t AXFR"...
That also does an AFXR and also breaks if the authoritative
server has been set up properly (refusing arbitrary AXFRs).
> Many domain name servers will block zone transfers (a form of
> security through obscurity), so the operation will not always succeed
> (regardless of whether you use nslookup or dig).
It's not security through obscurity.
1) You're not obscuring anything. Someone knows the name, they
can get the address. QED.
2) You ARE breaking the back of automated scanning tools that
transfer whole zones and then scan the resulting addresses.
Side Note... IPv6 can not be brute forced address scanned. But
if your zone can be transferred, the scanners that are DNS based work. If
you prevent zone transfers, you've eliminated that threat as well.
Blocking zone transfers eliminates very specific threats and vectors
that depend on it.
> --Joe
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | <a rel="nofollow" href="http://www.wittsend.com/mhw/";>http://www.wittsend.com/mhw/</a>
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00409" href="msg00409.html">[ale] OT: DNS query (dig) question</a></strong>
<ul><li><em>From:</em> joe at madewell.com (Joe Steele)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00470.html">[ale] 802.11g for linux?</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00472.html">[ale] Software tax</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00413.html">[ale] OT: DNS query (dig) question</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00402.html">[ale] Nuking a drive</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00471"><strong>Date</strong></a></li>
<li><a href="threads.html#00471"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>