>[quoting CERT advisory on what to filter]
> DNS zone transfers - socket 53
Pardon the stupid question. I'm mostly a lurker here, trying to learn
for the day when I actually need to set up one of these beasts. (Know
it will be coming eventually.)
My concern is that DNS zone transfers are the only method I currently
have available to discover services offered by a domain. I frequently
dig an axfr to see if they've got an ftp.foobar.com or a gopher.foobar.com.
I would think the better solution would be to run an external name
server on the outer side of the DMZ, and provide full access to that,
including zone transfers. For the nameserver running on the inner
side of the DMZ, restrict not just zone transfers, but *all* access.
Am I off base in my thinking? Or is the advisory geared to sites who
do not have a firewall, and their internal name server *is* the external
name server? Until some sort of service discovery protocol is invented
and deployed, I think zone transfers are the only tool we've got.
Chip Rosenthal 512-447-0577 | I'm going out where the lights don't shine so
Unicom Systems Development | bright. When I get back you can treat me like
COM> | a Saturday night. -Jimmie Dale Gilmore