Author Topic: AXFR vulnerability/ restrict zone transfer  (Read 2816 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
AXFR vulnerability/ restrict zone transfer
« on: May 04, 2022, 11:19:16 AM »
Hello,

What is best solution for fixing this?
Atm my named.conf for domain looks like this:

Code: [Select]
// zone domain.com
zone "domain.com" {type master; file "/var/named/domain.com.db";};
// zone_end domain.com

Does it need to look like this or is there any other solution?

Code: [Select]
acl trusted-servers  {
        ip1;  //ns1
       ip2;   //ns2
};
zone domain.com  {
        type master;
        file "/var/named/domain.com.db";
        allow-transfer { trusted-servers; };
};


Thank you in advance

Offline
*
Re: AXFR vulnerability/ restrict zone transfer
« Reply #1 on: December 01, 2022, 11:52:29 AM »
Hello,

What is best solution for fixing this?
Atm my named.conf for domain looks like this:

Code: [Select]
// zone domain.com
zone "domain.com" {type master; file "/var/named/domain.com.db";};
// zone_end domain.com

Does it need to look like this or is there any other solution?

Code: [Select]
acl trusted-servers  {
        ip1;  //ns1
       ip2;   //ns2
};
zone domain.com  {
        type master;
        file "/var/named/domain.com.db";
        allow-transfer { trusted-servers; };
};


Thank you in advance

Yes that looks correct to me. I have done similar in my slave DNS config:
Code: [Select]
options {
        allow-query     { any; };
recursion yes;
        /* mixedtribute - disable VERSION.BIND response
         * https://kb.isc.org/docs/aa-00359 */
        version none;

        /* Slave DNS Config :: https://wiki.centos-webpanel.com/slave-dns-server-manager-download-version */
        allow-transfer { DNSMASTERIP; };
        allow-recursion { DNSMASTERIP; };
        notify yes;
        also-notify { DNSMASTERIP; };
        masterfile-format text;
};
« Last Edit: December 01, 2022, 11:55:09 AM by mixedtribute »