lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Re: Enumerating a DNS servers authoritative zones (was Question for
 DNS pros)

I'll take that as a "No."  :-)

Thanks for the info, Todd.

--On Friday, July 23, 2004 06:01:42 PM +0000 Bennett Todd <bet@...ul.net> 
wrote:

> [ enumerate domains for which a nameserver publishes authoritative
>   data ]
>
> Even if the nameserver _did_ allow zone transfers, you _still_
> couldn't enumerate its zones.
>
> Even if you "parsed all registration sites" you'd still be nowhere
> near there. Any subdomain at any depth can be delegated, by any
> nameserver. And a server can offer authoritative data even if nobody
> delegates it at 'em, this is sometimes a very useful technique, e.g.
> declaring SOA for a classfully-aligned superset of your real
> classless delegation in in-addr.arpa. And one of the more popular
> top-level zones, .com, is jealously guarded as a secret by the lucky
> bastards who stole it from the public domain, to prevent other folks
> from stepping in and doing a more responsible job of managing
> registry for the domain.
>
> The place where this question rises routinely is in DNS server sets.
> It's quite common within organizations to want to maintain sets of
> domains across some collection of more or less independent
> nameservers. DNS has a protocol within it, zone transfer, for
> replicating the contents of a zone; not the best-designed protocol,
> but occasionally useful. But as it has no mechanism for enumerating
> the zones that would need to be transferred, some out-of-band
> mechanism needs to be used to maintain the zone list; and once
> that's in place, many folks note that using common off-the-shelf
> components for replication works better than zone xfer even for the
> zone data.
>
> The one place zone xfer is handy is as a rendesvous point;
> nameservers with different native zone data formats can share zone
> xfer as a way to convert zones from one format to another.
>
> -Bennett



Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ