≡ Menu

block bind axfr transfer

Restricting zone transfers with IP addresses in BIND DNS Server

DNS server can be attacked using various techniques such as

[a] DNS spoofing

[b] Cache poisoning

[c] Registration hijacking

One of the simplest ways to defend is limit zone transfers between nameservers by defining ACL. I see many admin allows BIND to transfer zones in bulk outside their network or organization. There is no need to do this. Remember you don't have to make an attacker's life easier.

How to restrict zone trasfer with IP address?

You need to define ACL in /etc/named.conf file. Let us say IP and are allowed to transfer your zones.
# vi named.conf
Here is sample entery for domain nixcraft.com (ns1 configuration):

acl trusted-servers  {;  //ns2;   //ns3
zone nixcraft.com  {
        type master;
        file "zones/nixcraft.com";
        allow-transfer { trusted-servers; };

Next add zone nixcraft.com. Please note that you must use set of hosts later in each zone's configuration block i.e. put line allow-transfer { trusted-servers; }; for each zone / domain name. Restart named:
# /etc/init.d/named restart

How do I test zone transfers restrictions are working or not?

Use any UNIX dns tool command such as nslookup, host or dig. For example, following example uses host command to request zone transfer:
$ host -T axfr nixcraft.com

;; Connection to for axfr failed: connection refused.

Transaction signatures (TSIG)

Another recommend option is to use transaction signatures (TSIG) to authorize zone transfers. This makes more difficult to spoof IP addresses.