On 25 Apr 2024, at 14:23, Dan Cross
<crossd(a)gmail.com> wrote:
On Thu, Apr 25, 2024 at 4:47 AM Chris via 44net <44net(a)mailman.ampr.org> wrote:
[snip]
TBH I am not completely comfortable allowing zone transfers on our nameservers, I have
allowed it on one server because a few folks requested it, but I would like to work with
them to move to an alternative when convenient so I can turn it off again.
It is not best practice to allow zone transfers, even if (as I have done) it is
restricted to only 44Net source IPs. It leaves the name server open to DDOS attacks, it
allows bad actors to get a full view of all hosts thus increasing the attack vectors, i.e.
they have a better idea of which hosts to attack and what might be running on them.
There are better ways to get the information, i.e. via the Portal’s API that is
authenticated and therefore we can be sure who is asking for the data.
While that level of caution is certainly appropriate for the public
Internet, I have a hard time believing it's warranted on AMPRNet
itself. Has anyone done an actual threat analysis for traffic
originating inside the network itself?
- Dan C.
I regularly play “whack-a-mole” with people trying to hijack our address space using BGP.
There have also been instances of bad gateways, the new portal has a bit more checking /
vetting where on the old portal, anyone could register and setup a gateway and steal
someone’s subnet, it could take a few days or even weeks to be noticed. I also regularly
receive abuse reports, usually due to someone’s host on a 44 IP address having been
compromised and doing all sorts of nasty things!
So unfortunately, it does happen and security should be one of our top priorities.
Everyone is responsible for keeping their own systems secure, I am responsible for
ensuring ARDC’s servers are kept secure, which is why I am slightly nervous about
permitting zone transfers. I would prefer not to, so if anyone is currently doing zone
transfers, please contact me off list so we can discuss whether there is a better way of
achieving what you need.
I’m happy to give my time to work with you to achieve the best outcomes for all
concerned.
Thank you,
Chris - G1FEF