I'm trying to get NSD to deny AXFRs for the zones its serving. I'm
compiling
--with-libwrap (although I think that's unnecessary as it looks like the
default is to go ahead and link with libwrap). This is with 2.2.0.
Anyway, I've tried a number of different combinations in /etc/hosts.allow
(and /etc/hosts.deny, although from reading hosts_options(5) on freebsd it
looks like hosts.deny has been deprecated) and I cannot get NSD to refuse
AXFRs.
Here is what I've tried:
/etc/hosts.allow:
axfr : ALL : deny
/etc/hosts.allow:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny
/etc/hosts.allow:
axfr : 127.0.0.1 : deny
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny
None of which cause NSD to refuse AXFR from my localhost.
% dig @localhost netsec.tislabs.com. Axfr
I've also tried using /etc/hosts.deny per a 2003 message on this list:
/etc/hosts.deny:
axfr : ALL : deny
/etc/hosts.deny:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny
But nothing works. Anybody have a working example of denying all AXFRs?
--
Wesley Griffin <wgriffin at sparta.com>
[On 14 Feb, @ 20:36, Wesley wrote in "Denying AXFR ..."]> I'm trying to get NSD to deny AXFRs for the zones its serving. I'm compiling > --with-libwrap (although I think that's unnecessary as it looks like the > default is to go ahead and link with libwrap). This is with 2.2.0.for what it is worth; in future NSD releases all this per zone configuration stuff will be folded into NSD's own .... config file, grtz Miek
On Mon, Feb 14, 2005 at 02:36:45PM -0500, Wesley Griffin wrote:>I'm trying to get NSD to deny AXFRs for the zones its serving. I'm compiling >--with-libwrap (although I think that's unnecessary as it looks like theThere's a compile time option for not supporting AXFR all together, which I found easier to use, since I had the same problem as you. I seem to remember that it logged something somewhere about what keyword I _should_ have used. But I found out after recompile. Checked your syslog? -- Robert Martin-Leg?ne IT security manager DK Hostmaster A/S
Wesley,> I'm trying to get NSD to deny AXFRs for the zones its > serving. I'm compiling > --with-libwrap (although I think that's unnecessary as it > looks like the > default is to go ahead and link with libwrap). This is with 2.2.0.SNAP> > Here is what I've tried: > > /etc/hosts.allow: > axfr : ALL : denySNAP> > But nothing works. Anybody have a working example of denying > all AXFRs?We have the following line in /etc/hosts.deny on a Debian Linux system: /etc/hosts.deny: axfr: ALL axfr-nl.: ALL In the file /etc/hosts.allow we have exceptions for this rule like: /etc/hosts.allow: axfr: 10.0.0.1 Hope this will help you. Regards, Marc
On Mon, Feb 14, 2005 at 02:36:45PM -0500, Wesley Griffin <wgriffin at sparta.com> wrote a message of 44 lines which said:> I'm trying to get NSD to deny AXFRs for the zones its serving.It is a bit tricky because nsd queries the TCP wrappers with "axfr" *and* "axfr-TLD". I believe you cannot do it without a general deny rule. I do it this way (with --with-libwrap as you do): hosts.deny: # Default is to refuse ALL: ALL : spawn /bin/logger -i -p daemon.info "%s REFUSED from %a (%h)" : deny hosts.allow: # Local access from AFNIC axfr: 192.134.4.0/255.255.255.0, 192.134.0.49 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow # Per request from ".si" axfr-si: X.Y.Z.W/255.255.255.0 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow # Other protocols sshd: 192.134.4.0/255.255.255.0