Summary: named[nnn]: unapproved AXFR

From: Janet Leung (jleung@usc.edu)
Date: Fri Jul 17 1998 - 13:29:10 CDT


Thanks to
---------
Reto Lichtensteiger <rali@meitca.com>
Bismark Espinoza <bismark@alta.jpl.nasa.gov>
Wales Wong <wawong@ouhk.edu.hk>
ahoerter@netcom.com
Patrick Gilbert <gilbert@SMTP.Mlink.NET>
"Tony C. Wu" <tonywu@life.nthu.edu.tw>
Magnus Bergman <trident@trisec.net>
Graham Leggett <graham@vwv.com>
"Alvaro Fdez. Lago" <alvaro.fdez@csgestio.cs.unicies.cesga.es>

Answers
-------
1. Only if you don't want other people to be able to do zone transfers of
   your domain files ... :-)
   Typically, zone transfers are between DNS servers, so someone's got
   themselves config'ed to be a secondary for one of the domains this
   server carries.
   It is also possible to do a zone transfer with dig or nslookup:
   % dig axfr <zone>
   % nslookup
> ls <zone>
   If the entry only shows once in the logs, it'll have been the latter,
   otherwise the former reason.

2. Host A.B.C.D is trying to download a zone map from a name server
   that may not be under his domain.
   Could be a security problem.

3. The name server on A.B.C.D are trying to perform a zone transfer
   for z.y.x.in-addr.arpa". You may have specified the
   "allow-transfer" option in your named.conf, and A.B.C.D is not on the
   list.

4. an "axfr" command causes your server to dump a complete zone file
   of the requested domain or subdomain. in this case, an access rule
   you defined refused the axfr request.

   what might this mean?
   a) someone is probing your network for possible hosts to penetrate
      or is looking for hosts which might be vulnerable to cookbook attacks
   b) someone is trying to debug a problem they're having with your
      network, and they want the zone file for some reason
   c) another dns server has been configured to be a secondary server
      for z.y.x.in-addr.arpa, and is trying to pull the zone file from
      your server, which isn't letting it
   d) a curious person wants to know more about your network, and is
      playing with nslookup or dig

5. A zone xfer is used by a secondary dns server to update missing
   information that might have been missing or is expired on a particular
   zone.
   Security wise, it proves useful to determine the internals of your
   network, the HINFO field comes to mind, also revealing host names of
   machines on your network like for example: linux01.usc.edu
   You can restrict axfr's in BIND 8.1.2. with the allow-transfer option.
   http://www.isc.org/bind8/options.html

6. It's ok. A.B.C.D. was trying to do zone transfer while it's not
   authorized to. Very likely that A.B.C.D. is some sort of robot that
   collects information to build up databases for search engines.
   by the way, bind-8.1.2 has been released.

7. It could be. Someone probably tried to dump your reverse-map.
   They didn't succeed but you might be intrested of scanning your logs
   for other entries from the same host.

8. Usually this is because you have configured your nameserver so
   that only approved hosts can do secondary zone transfers, and the
   IP address listed in the message tried to get a zone trasnefr from
   you, but failed because you haven't allowed it to.

9. Hi,That means someone tried to get a listing of your x.y.z subnet
   (the available PTRrecords, more precisely), via DNS zone-transfer
   mechanism; and your server is configured to allow zone transfers
   *only* from selected hosts. ("allow-query" directive)

Original Question
-----------------
Hi, gurus. I noticed the following in /var/adm/messages, and just
wondering if it's a cause of concern(security-wise):
        named[nnn]: unapproved AXFR from A.B.C.D 123 for
        "z.y.x.in-addr.arpa" (acl)
BTW, we are running verion 8.1.2-T3B of bind.
Thanks,
Janet Leung, ISD USC, Los Angeles, CA 90087



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:44 CDT