On 25 Apr 2024, at 14:23, Dan Cross crossd@gmail.com wrote:
On Thu, Apr 25, 2024 at 4:47 AM Chris via 44net 44net@mailman.ampr.org wrote:
[snip] TBH I am not completely comfortable allowing zone transfers on our nameservers, I have allowed it on one server because a few folks requested it, but I would like to work with them to move to an alternative when convenient so I can turn it off again.
It is not best practice to allow zone transfers, even if (as I have done) it is restricted to only 44Net source IPs. It leaves the name server open to DDOS attacks, it allows bad actors to get a full view of all hosts thus increasing the attack vectors, i.e. they have a better idea of which hosts to attack and what might be running on them.
There are better ways to get the information, i.e. via the Portal’s API that is authenticated and therefore we can be sure who is asking for the data.
While that level of caution is certainly appropriate for the public Internet, I have a hard time believing it's warranted on AMPRNet itself. Has anyone done an actual threat analysis for traffic originating inside the network itself?
- Dan C.
I regularly play “whack-a-mole” with people trying to hijack our address space using BGP. There have also been instances of bad gateways, the new portal has a bit more checking / vetting where on the old portal, anyone could register and setup a gateway and steal someone’s subnet, it could take a few days or even weeks to be noticed. I also regularly receive abuse reports, usually due to someone’s host on a 44 IP address having been compromised and doing all sorts of nasty things!
So unfortunately, it does happen and security should be one of our top priorities. Everyone is responsible for keeping their own systems secure, I am responsible for ensuring ARDC’s servers are kept secure, which is why I am slightly nervous about permitting zone transfers. I would prefer not to, so if anyone is currently doing zone transfers, please contact me off list so we can discuss whether there is a better way of achieving what you need.
I’m happy to give my time to work with you to achieve the best outcomes for all concerned.
Thank you, Chris - G1FEF