Denying AXFR

Wesley_Griffin · February 14, 2005, 7:36pm

I'm trying to get NSD to deny AXFRs for the zones its serving. I'm compiling
--with-libwrap (although I think that's unnecessary as it looks like the
default is to go ahead and link with libwrap). This is with 2.2.0.

Anyway, I've tried a number of different combinations in /etc/hosts.allow
(and /etc/hosts.deny, although from reading hosts_options(5) on freebsd it
looks like hosts.deny has been deprecated) and I cannot get NSD to refuse
AXFRs.

Here is what I've tried:

/etc/hosts.allow:
axfr : ALL : deny

/etc/hosts.allow:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny

/etc/hosts.allow:
axfr : 127.0.0.1 : deny
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny

None of which cause NSD to refuse AXFR from my localhost.
% dig @localhost netsec.tislabs.com. Axfr

I've also tried using /etc/hosts.deny per a 2003 message on this list:

/etc/hosts.deny:
axfr : ALL : deny

/etc/hosts.deny:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny

But nothing works. Anybody have a working example of denying all AXFRs?

Miek_Gieben1 · February 14, 2005, 8:20pm

[On 14 Feb, @ 20:36, Wesley wrote in "Denying AXFR ..."]

I'm trying to get NSD to deny AXFRs for the zones its serving. I'm compiling
--with-libwrap (although I think that's unnecessary as it looks like the
default is to go ahead and link with libwrap). This is with 2.2.0.

for what it is worth; in future NSD releases all this per zone
configuration stuff will be folded into NSD's own .... config file,

grtz Miek

Nick_Hilliard2 · February 14, 2005, 10:03pm

for what it is worth; in future NSD releases all this per zone
configuration stuff will be folded into NSD's own .... config file,

O tempora, o mores!

Nick

Robert_Martin-Legene · February 14, 2005, 11:02pm

There's a compile time option for not supporting AXFR all together,
which I found easier to use, since I had the same problem as you.

I seem to remember that it logged something somewhere about what keyword
I _should_ have used. But I found out after recompile. Checked your
syslog?

Stephane_Bortzmeyer · February 15, 2005, 9:21pm

a message of 44 lines which said:

I'm trying to get NSD to deny AXFRs for the zones its serving.

It is a bit tricky because nsd queries the TCP wrappers with "axfr"
*and* "axfr-TLD". I believe you cannot do it without a general deny
rule. I do it this way (with --with-libwrap as you do):

hosts.deny:

# Default is to refuse
ALL: ALL : spawn /bin/logger -i -p daemon.info "%s REFUSED from %a (%h)" : deny

hosts.allow:

# Local access from AFNIC
axfr: 192.134.4.0/255.255.255.0, 192.134.0.49 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Per request from ".si"
axfr-si: X.Y.Z.W/255.255.255.0 : spawn /bin/logger -i -p daemon.info "nsd zone transfer (%s) accepted from %a (%h)" : allow
# Other protocols
sshd: 192.134.4.0/255.255.255.0