# [SOLVED] DNS and BIND issues - should i worry about that

## huliganaz

Hey i have a couple of servers running BIND as DNS server. My logs show this stuff

1 SERVER

```

May 12 12:14:26 ns named[2329]: client 83.171.8.8#54825: transfer of 'alk.lt/IN': AXFR started

May 12 12:14:26 ns named[2329]: client 83.171.8.8#54825: transfer of 'alk.lt/IN': AXFR ended

May 12 14:13:52 ns named[2329]: client 83.171.8.8#50822: transfer of 'alk.lt/IN': AXFR started

May 12 14:13:52 ns named[2329]: client 83.171.8.8#50822: transfer of 'alk.lt/IN': AXFR ended

May 12 16:12:29 ns named[2329]: client 83.171.8.8#36542: transfer of 'alk.lt/IN': AXFR started

May 12 16:12:29 ns named[2329]: client 83.171.8.8#36542: transfer of 'alk.lt/IN': AXFR ended

May 12 18:14:57 ns named[2329]: client 83.171.8.8#55743: transfer of 'alk.lt/IN': AXFR started

May 12 18:14:57 ns named[2329]: client 83.171.8.8#55743: transfer of 'alk.lt/IN': AXFR ended

May 12 20:09:08 ns named[2329]: client 83.171.8.8#38255: transfer of 'alk.lt/IN': AXFR started

May 12 20:09:08 ns named[2329]: client 83.171.8.8#38255: transfer of 'alk.lt/IN': AXFR ended

```

2 SERVER

```

16-May-2006 14:36:44.198 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 14:43:53.189 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 14:48:34.478 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 14:52:34.149 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 14:54:19.640 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 14:54:39.876 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 15:03:43.839 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 15:03:56.906 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 15:06:43.868 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

16-May-2006 15:13:53.122 update-security: error: client 217.117.27.5#1050: update 'insolita.lt/IN' denied

```

should i worry about them ?

any ideas how to get rid of them if they are harmful?

 :Crying or Very sad: 

----------

## steveb

If the ip 83.171.8.8 is not one of yours, then you should worry, since someone is doing a zone transfer of all your zones. You should limit a zone transfer to hosts you trust:

```
allow-transfer {

        // Zone tranfers limited to members of:

        aaa.bbb.ccc.ddd;

        eee.fff.ggg.hhh;

};
```

Or you could add a ACL with allowed hosts (or none if you prefer) and use that:

```
// Set up ACLs

acl "xfer" {

        // Allow no transfers.  If we have other

        // name servers, place them here.

        none;

};

allow-transfer {

        // Zone tranfers limited to members of:

        xfer;                   // "xfer" ACL

};
```

cheers

SteveB

----------

## UberLord

 *steveb wrote:*   

> If the ip 83.171.8.8 is not one of yours, then you should worry, since someone is doing a zone transfer of all your zones.

 

Why? It's not like the data should be hidden - there is no point in hiding DNS data.

And it saves CPU time and bandwidth just doing a zone transfer.

Now, if something updates YOUR zone on YOUR server then you have an issue.....

----------

## steveb

 *UberLord wrote:*   

> Why? It's not like the data should be hidden - there is no point in hiding DNS data.
> 
> And it saves CPU time and bandwidth just doing a zone transfer.

 What is the point of allowing everyone doing zone transfers? On all of my zones?

 *UberLord wrote:*   

> Now, if something updates YOUR zone on YOUR server then you have an issue.....

 Definatly!

----------

## UberLord

 *steveb wrote:*   

>  *UberLord wrote:*   Why? It's not like the data should be hidden - there is no point in hiding DNS data.
> 
> And it saves CPU time and bandwidth just doing a zone transfer. What is the point of allowing everyone doing zone transfers? On all of my zones?

 

If I want to know about your zones I do a transfer in one step.

Or I could just recursively query your DNS for every permutation.

Either way, if I want your DNS information I will get it  :Razz: 

Here's what a BIND guide says about it

 *Quote:*   

> allow-transfer defines a match list e.g. IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). The default behaviour is to allow zone transfers to any host. While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant  then use the following policy.

 

----------

## huliganaz

thats my second nameserver's IP

----------

## steveb

 *UberLord wrote:*   

> If I want to know about your zones I do a transfer in one step.
> 
> Or I could just recursively query your DNS for every permutation.

 Uhhh... this will take long time and I would notice it.  :Wink: 

 *UberLord wrote:*   

> Either way, if I want your DNS information I will get it 

 Hmm.... not 100% correct. I have on my DNS server many zones, wich are NOT exposed externaly (with views). If I would not have views and I would allow zone transfers, then you would even get my internal DNS data. And I don't want that at all.

 *UberLord wrote:*   

> Here's what a BIND guide says about it
> 
>  *Quote:*   allow-transfer defines a match list e.g. IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). The default behaviour is to allow zone transfers to any host. While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant  then use the following policy. 

 I know that and that's the reason I use this policy.

cheers

SteveB

----------

## steveb

 *huliganaz wrote:*   

> thats my second nameserver's IP

 Well... then the first part of you post is okay, but the second is not. It looks like your secondary can not update zone files (but wants to do it). Correct me if I am wrong...

cheers

SteveB

----------

## UberLord

 *steveb wrote:*   

>  *UberLord wrote:*   Either way, if I want your DNS information I will get it  Hmm.... not 100% correct. I have on my DNS server many zones, wich are NOT exposed externaly (with views). If I would not have views and I would allow zone transfers, then you would even get my internal DNS data. And I don't want that at all.

 

AFAIK zone transfers are only allowed on zones you can get to. So if I can't see your internal views (which I use too btw) I can't get them by default.

So I think I'm still right  :Razz: 

----------

## steveb

 *UberLord wrote:*   

> AFAIK zone transfers are only allowed on zones you can get to. So if I can't see your internal views (which I use too btw) I can't get them by default.

 Off course. But how manny people are not familiar with Bind? Let alone views in Bind...

 *UberLord wrote:*   

> So I think I'm still right 

 Okay... You winn (does it feel good?)

----------

## UberLord

 *steveb wrote:*   

>  *UberLord wrote:*   So I think I'm still right  Okay... You winn (does it feel good?)

 

Yeah, I got the warm soft fuzzies   :Surprised: 

You?

----------

## steveb

 *UberLord wrote:*   

> Yeah, I got the warm soft fuzzies   

 fuzzies? warm? soft?

 *UberLord wrote:*   

> You?

 Yes! I get them now as well, when I read your answer  :Laughing: 

Thanks for your funny answer  :Smile: 

Kind Regards from Switzerland

Steve

----------

