> If zone transfers are a problem, why not use the BIND 4.8.3 source and
> just hack them out all together ?
Actually, bind 4.9, which just went into beta, has support for screening zone
transfers hacked in already. This allows the administrator to specify those
networks or hosts from which zone transfers will be allowed. Note that the
filtering is done at the DNS level, and does not arbitrarily block all DNS/TCP
connections, but only XFR requests. This is especially helpful if you use the
IBM AIX version of netstat, which uses a TCP connection to the DNS nameserver
(apparently because it expects to make a lot of DNS queries).
The current beta is available via anonymous ftp from gatekeeper.dec.com.
Kudos to Paul Vixie at DECWRL for coordinating the bind 4.9 effort, and for
hacking the zone-transfer restriction so that it doesn't just block TCP