On Thu, Apr 25, 2024 at 4:47 AM Chris via 44net <44net(a)mailman.ampr.org> wrote:
[snip]
TBH I am not completely comfortable allowing zone transfers on our nameservers, I have
allowed it on one server because a few folks requested it, but I would like to work with
them to move to an alternative when convenient so I can turn it off again.
It is not best practice to allow zone transfers, even if (as I have done) it is
restricted to only 44Net source IPs. It leaves the name server open to DDOS attacks, it
allows bad actors to get a full view of all hosts thus increasing the attack vectors, i.e.
they have a better idea of which hosts to attack and what might be running on them.
There are better ways to get the information, i.e. via the Portal’s API that is
authenticated and therefore we can be sure who is asking for the data.
While that level of caution is certainly appropriate for the public
Internet, I have a hard time believing it's warranted on AMPRNet
itself. Has anyone done an actual threat analysis for traffic
originating inside the network itself?
- Dan C.