[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] DNS Zone Transfers permitted - FOLLOWUP & SOLUTION

Subject: RE: [cobalt-users] DNS Zone Transfers permitted - FOLLOWUP & SOLUTION
From: "Rick Ewart" <cobalt@xxxxxxxxx>
Date: Wed Mar 5 05:59:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> Well, I just came to a realization that my DNS servers appear to be
> permitting zone transfers out to the free world, and I am not sure
what to
> do about it.... I am running 8.3.4REL of named, compiled and installed
> according to Gerald's instructions.
> 
> I started with the GUI, and noted that only my secondary DNS is listed
to
> permit transfers. Then did a bit of research and saw that the "allow
> transfer" directive is used in named.conf to restrict domains. I
checked
> mine and it does have a directive that corresponds with my secondary:
>     options {
>             directory "/etc/named";
>             allow-transfer { 216.219.239.8 };
>     };
>     zone "." { type hint; file "db.cache"; };
> 
I figured I would respond for the archives with what I found...

1) Brent pointed out that I was missing a final ; after the IP address
above. It should be:
allow-transfer { 216.219.239.8; };

That fixed it for the time being, once I restarted BIND:
/etc/rc.d/init.d/named restart

As you might expect however, changes via the GUI will undo this in the
future. Also, if you watch your logs, you will see an error message
about a syntax error in named.conf whenever you restart the server or
BIND.

2) Stephanie contacted me offlist and provided some more information. It
appears to be a [possible] bug with Cobalt DNS? The problem she
encountered was from Stauber's package and mine was using Gerald's
instructions. Conclusion: it?s a different in the update source/cobalt's
GUI - not something Michael or Gerald did. Michael Stauber worked with
her and determined that what you need to change to keep it from
happening again is:

in /usr/admserv/cgi-bin/.cobalt/dns/index.cgi search for "allow-" and
get to
the following line:
        print NAMEDCONF "\tallow-transfer { $axs };\n";
change it to be the following (add one ";")
        print NAMEDCONF "\tallow-transfer { $axs; };\n";

That will keep the GUI from overwriting your nicely fixed configuration
file
and breaking transfer restrictions.

Of course, Stephanie also pointed out that its possible that we will
need to make the change if a subsequent Sun update replaces the file we
edited above in the GUI, so add this to the list of anomalies to test
for after updates, and keep these directions handy.

Thanks to Brent and Stephanie for help on this (as well as Gerald who
tried to help before). Also, kudos to Michael, Gerald and all the folks
out there who are cranking out this stuff to cover our butts. If you are
ever in the Fort Lauderdale area, look me up - I am buying the beer.

Rick

References:
- [cobalt-users] DNS Zone Transfers being permitted - why?
  - From: Rick Ewart

Prev by Date: Re: [cobalt-users] RAQ550 Updates
Next by Date: Re: [cobalt-users] Re:Sendmail Header Vulnerability RAQ3
Previous by thread: RE: [cobalt-users] DNS Zone Transfers being permitted - why?
Next by thread: [cobalt-users] Newbie seeking help with Webcatalog install on RAQ3

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index