[Discuss] DNS question about DNSENUM.PL
Rich Pieri
richard.pieri at gmail.com
Mon Mar 25 19:54:15 EDT 2013
--On Monday, March 25, 2013 6:24 PM -0400 Tom Metro <tmetro+blu at gmail.com>
wrote:
> Disabling zone transfers is an attempts to hide the particulars within a
> zone, but it is imperfect at best, as this information often leaks out
> through other means (mail headers, for example). One possibility is to
It's less about security by obscurity and more about avoiding a denial of
service.
Zone transfers happen over TCP. TCP sockets are stateful connections. Most
name servers are monolithic processes. Thus, it is trivially easy to
monopolize a name server process by sending an AXFR request and then not
dropping the connection. The easiest way to prevent that is to simply say
"no" to the querent and drop the connection on the server side.
--
Rich P.
More information about the Discuss
mailing list