Topic: How to secure zone transfers?

Recently I read about AXFR attacks. How can I prevent them in Bind 9?

Share

Re: How to secure zone transfers?

If you have two DNS servers, which we will refer to as ns1 (10.1.1.1) and ns2 (10.1.1.2). ns1 serves as the master for the 'example.com' zone, and ns2 slaves this zone off the primary. Then to secure your Bind configuration, you should add following lines to your named.conf:

Master:

acl "xfer" {
        10.1.1.2;
};

zone "example.com" IN {
        type master;
        file "/path/to/zone/file/example.com";
        notify yes;
        allow-update { none; };
        allow-query { any; };
        allow-transfer { xfer; };
};

Slave:

zone "example.com" IN {
        type slave;
        masters { 10.1.1.1; };
        file "/path/to/zone/file/example.com";
        notify no;
        allow-query { any; };
        allow-transfer { none; };
};

To check that AXFR secured run command:

# dig example.com @ns1.example.com. axfr

And you will see something like this:

; <<>> DiG 9.8.5-P1 <<>> example.com @ns1.example.com. axfr
;; global options: +cmd
; Transfer failed.