[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] approved AXFR
- Subject: Re: [cobalt-security] approved AXFR
- From: "Gareth Bromley" <gbromley@xxxxxxxxxxx>
- Date: Mon, 28 Jan 2002 22:11:17 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Stick on a DNS ACL to stop Zone transfers, except to your named secondaries
i.e.
options {
directory "/etc/named";
allow-transfer {
// ???.??.????????.net
C.D.197.133
// ??.????????.com
A.B.202.244;
};
version "......";
};
----- Original Message -----
From: "Achieve Website Design" <info@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, January 28, 2002 1:06 PM
Subject: [cobalt-security] approved AXFR
> Hello,
> A few weeks ago I sent an email to this group enquiring about "approved
> AXFR". I received a couple of replies which basically told me not to
worry.
> However, I have again received a report from Logcheck, (see below).
> Interestingly, I received a similar report for my only other dot
ie(Ireland)
> domain 2 hours later. Nothing like this for any of my dot com domains. I
> sent the Irish Registry an email - please see their reply below. I would
be
> grateful, if anybody could shed some extra light on this.
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Jan 26 19:19:23 ns named[420]: approved AXFR from [202.54.50.211].3720 for
> "gregans.ie"
> Jan 26 19:19:23 ns named[420]: zone transfer (AXFR) of "gregans.ie" (IN)
to
> [202.54.50.211].3720
>
> Declan,
>
> Your log messages mean that someone, likely in the Bombay area of
> India, has helped himself
> to a copy of the zone file for each of these domains.
>
> Many domain administrators block zone transfer except from slave servers
and
> from servers belonging to recognized statistical projects. I expect
> you can do this
> with a simple directive in your name server configuration. This is
> certainly the case
> for BIND.
>
> If you are inclined to view this access as abuse, the following
> information from the
> APNIC whois server will probably be of use. APNIC administer the
allocation
> of
> IP addresses in the Asia-Pacific region, just as the RIPE-NCC does in
> the extended
> European region. You will see that the address mentioned in your
> logs belongs to
> the range shown below.
>
> [whois.apnic.net]
>
> % Rights restricted by copyright. See
> http://www.apnic.net/db/dbcopyright.html
> % (whois6.apnic.net)
>
> inetnum: 202.54.50.0 - 202.54.50.255
> netname: VSNL-NAGPUR
> descr: Nagpur Internet Node
> country: IN
> admin-c: NS1-IN
> tech-c: NS1-IN
> mnt-by: VSNL-MAINT
> changed: gpsingh@xxxxxxxxxxxxxxxxxxxx 971219
> source: APNIC
>
> person: NEERAJ SONKER
> address: VIDESH SANCHAR NIGAM LTD.
> address: VIDESH SANCHAR BHAWAN, M.G.ROAD, FORT, BOMBAY 400 001
> phone: +91 22 2624020 ext 2167
> fax-no: +91 22 2624070
> e-mail: neeraj@xxxxxxxxxxxxxxxxxxxx
> nic-hdl: NS1-IN
> notify: neeraj@xxxxxxxxxxxxxxxxxxxx
> changed: neeraj@xxxxxxxxxxxxxxxxxxxx 951117
> source: APNIC
>
> One recognized statistical project for which I would recommend you
> allow zone transfer
> is the RIPE hostcount, a monthly count of all the systems on the
> Internet in the RIPE area.
> For this purpose, ie-collector.hostcount.ripe.net (193.1.193.194)
> will need access to your
> zone file.
>
> I notice that your two servers for gregans.ie appear to be on the
> same IP subnet:
>
> ns2.achieve-it.com. 0S IN A 212.67.197.39
> ns.achieve-it.com. 0S IN A 212.67.197.38
>
> This arrangement means that the domain has a single point of failure
> in the network
> equipment which connects this network. You may wish to review your
> placement of
> the DNS servers.
>
> Copying of the zone file has no direct bearing on mail system performance.
>
> At 14:15 +0000 27-01-2002, Achieve Website Design wrote:
> >Hello,
> >I have a Colocated Raq4 server, located in the UK, from which I host
> approx.
> >50 sites. Two of these sites, have dot ie extensions, gregans.ie &
> >flowersbylucy.ie . My server sends me log reports every hour, and I have
> >just noticed the report below. I have nothing to do with the address
> >202.54.50.211. I also got this report in a later report, reporting the
same
> >for flowersbylucy.ie. This happened before, a few weeks ago, but I didn't
> >take too much notice as everything else seemed to be O.K. I have never
> >received such a report for any of the dot com/net domains which I have
> >hosted on my server.
> >
> >However, last week, email which I was sending to gregans.ie was "
> >dissappearing and as such I am wondering if the report below, could be
the
> >problem.
> >
> >Unusual System Events
> >=-=-=-=-=-=-=-=-=-=-=
> >Jan 26 19:19:23 ns named[420]: approved AXFR from [202.54.50.211].3720
for
> >"gregans.ie"
> >Jan 26 19:19:23 ns named[420]: zone transfer (AXFR) of "gregans.ie" (IN)
to
> >[202.54.50.211].3720
> >
> >Regards,
> >Declan Connolly.
> >
> >Achieve Website Design
> >Cartron Road
> >Kinvara
> >Co. Galway.
> >twl. 091 637500
>
>
> --
> Best regards,
>
> Niall O'Reilly PSTN: +353 (0)1 230 0797
> Technical Manager, IE Domain Registry Ltd GSM: +353 (0)87 221 0237
>
> The IE Domain Registry wishes you a happy and successful year in 2002.
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>