Hello,
I have problems denying AXFRs with nsd.
This topic has been discussed here once, but the solutions don't work for me.
I am using nsd 2.3 compiled with --with-libwrap on Freebsd 5.3.
I tried all variations of deny statemens in hosts.allow / hosts.deny like:
hosts.allow:
axfr: ALL : deny
axfr-zone.: ALL : deny
or
hosts.deny:
axfr: ALL
axfr-zone.: ALL
or
hosts.allow:
ALL : ALL : deny
When testing the tcp wrapper rules with tcpdmatch everything seems ok.
The nsd log is also very quiet about AXFRs taking place.
The only working option to deny AXFRs is to compile nsd without AXFR support.
Could this be a bug of nsd on this platform?
Besides, when will there be the possibility to configure the AXFR permissions in a seperate file?
According to Bugzilla this feature should already be included in the 2.3 release of nsd.
Regards,
Markus
Markus,
I am using nsd 2.3 compiled with --with-libwrap on Freebsd 5.3.
I tried all variations of deny statemens in hosts.allow / hosts.deny like:
Are you using the port from /usr/ports/dns/nsd ?
hosts.allow:
ALL : ALL : deny
This should be enaugh.
axfr : <IP> : allow/deny
and
axfr-isnic.is. : <IP> : allow/deny
both work, but don't forget the dot after the domain name.
When testing the tcp wrapper rules with tcpdmatch everything seems ok.
The nsd log is also very quiet about AXFRs taking place.
The only working option to deny AXFRs is to compile nsd without AXFR
support.
Could this be a bug of nsd on this platform?
I'm using nsd-2.3.0 from ports wich uses libwrap and when trying to axfr from
outside our network it logs:
May 10 15:07:52 aker nsd[11557]: checking axfr-isnic.is.
if denied, but thats it.
/Oli
Olafur,
Thanks for the hint!
I found the problem.
First, I tried compiling nsd from the ports, but it didn't help either.
What bit me was a missing <chroot>/etc/hosts.allow file!
What I did was to remove the nsd options from my nsdc.conf bit by bit.
When omitting the -t <chroot> flag, the AXFRs worked as expected. 
Regards,
Markus
Olafur Osvaldsson wrote: