Stop listing all records in DNS zone

cyberneticos

cyberneticos

Verified User
Joined
Aug 21, 2005
Messages
706
Location
Spain
Hello,

How can you prevent people listing your entire dns zone using nslookup?

recursion no; in options is not stopping this.

Thanks!
 
ok I now have this set, and it stopped me from getting the list:

allow-transfer { none;};
version "[null]";

But I am not sure what side effects this could have. Will this prevent multiserver setups from syncing ? Or is this ok?

Any help is greatly appreciated.
 
Ok, I ran a test and seems like multiserver is working. All servers involved in the multisetup have those same named options.

Can anyone confirm that these options are not going to mess anything else up that I could be missing ?

Thanks!
 
That's OK,

allow-transfer defines a match list e.g. IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). The default behaviour is to allow zone transfers to any host. While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible DoS attack initiated by XFER requests, then use the following policy.
Click to expand...

Multiserver function does not use bind to transfer zones, all updates and transfers are done directly via directadmin API.
 
Or in other words, as long as you're using the Multiserver option to manage your authoritative DNS on multple servers you won't have a problem. If you switch to using BIND to slave zones (as in my Master2Slave DNS Replicator (which doesn't require a DirectAdmin license on your DNS server), you'll need to use the IP#s of the slave nameservers instead of none).

Jeff
 
You must log in or register to reply here.
Back
Top