Thanks to
---------
Reto Lichtensteiger <rali@meitca.com>
Bismark Espinoza <bismark@alta.jpl.nasa.gov>
Wales Wong <wawong@ouhk.edu.hk>
ahoerter@netcom.com
Patrick Gilbert <gilbert@SMTP.Mlink.NET>
"Tony C. Wu" <tonywu@life.nthu.edu.tw>
Magnus Bergman <trident@trisec.net>
Graham Leggett <graham@vwv.com>
"Alvaro Fdez. Lago" <alvaro.fdez@csgestio.cs.unicies.cesga.es>
Answers
-------
1. Only if you don't want other people to be able to do zone transfers of
your domain files ... :-)
Typically, zone transfers are between DNS servers, so someone's got
themselves config'ed to be a secondary for one of the domains this
server carries.
It is also possible to do a zone transfer with dig or nslookup:
% dig axfr <zone>
% nslookup
> ls <zone>
If the entry only shows once in the logs, it'll have been the latter,
otherwise the former reason.
2. Host A.B.C.D is trying to download a zone map from a name server
that may not be under his domain.
Could be a security problem.
3. The name server on A.B.C.D are trying to perform a zone transfer
for z.y.x.in-addr.arpa". You may have specified the
"allow-transfer" option in your named.conf, and A.B.C.D is not on the
list.
4. an "axfr" command causes your server to dump a complete zone file
of the requested domain or subdomain. in this case, an access rule
you defined refused the axfr request.
what might this mean?
a) someone is probing your network for possible hosts to penetrate
or is looking for hosts which might be vulnerable to cookbook attacks
b) someone is trying to debug a problem they're having with your
network, and they want the zone file for some reason
c) another dns server has been configured to be a secondary server
for z.y.x.in-addr.arpa, and is trying to pull the zone file from
your server, which isn't letting it
d) a curious person wants to know more about your network, and is
playing with nslookup or dig
5. A zone xfer is used by a secondary dns server to update missing
information that might have been missing or is expired on a particular
zone.
Security wise, it proves useful to determine the internals of your
network, the HINFO field comes to mind, also revealing host names of
machines on your network like for example: linux01.usc.edu
You can restrict axfr's in BIND 8.1.2. with the allow-transfer option.
http://www.isc.org/bind8/options.html
6. It's ok. A.B.C.D. was trying to do zone transfer while it's not
authorized to. Very likely that A.B.C.D. is some sort of robot that
collects information to build up databases for search engines.
by the way, bind-8.1.2 has been released.
7. It could be. Someone probably tried to dump your reverse-map.
They didn't succeed but you might be intrested of scanning your logs
for other entries from the same host.
8. Usually this is because you have configured your nameserver so
that only approved hosts can do secondary zone transfers, and the
IP address listed in the message tried to get a zone trasnefr from
you, but failed because you haven't allowed it to.
9. Hi,That means someone tried to get a listing of your x.y.z subnet
(the available PTRrecords, more precisely), via DNS zone-transfer
mechanism; and your server is configured to allow zone transfers
*only* from selected hosts. ("allow-query" directive)
Original Question
-----------------
Hi, gurus. I noticed the following in /var/adm/messages, and just
wondering if it's a cause of concern(security-wise):
named[nnn]: unapproved AXFR from A.B.C.D 123 for
"z.y.x.in-addr.arpa" (acl)
BTW, we are running verion 8.1.2-T3B of bind.
Thanks,
Janet Leung, ISD USC, Los Angeles, CA 90087
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:44 CDT