Denying AXFR

Wesley Griffin wgriffin at sparta.com
Mon Feb 14 19:36:45 UTC 2005


I'm trying to get NSD to deny AXFRs for the zones its serving. I'm compiling
--with-libwrap (although I think that's unnecessary as it looks like the
default is to go ahead and link with libwrap). This is with 2.2.0.

Anyway, I've tried a number of different combinations in /etc/hosts.allow
(and /etc/hosts.deny, although from reading hosts_options(5) on freebsd it
looks like hosts.deny has been deprecated) and I cannot get NSD to refuse
AXFRs.

Here is what I've tried:

/etc/hosts.allow:
axfr : ALL : deny

/etc/hosts.allow:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny

/etc/hosts.allow:
axfr : 127.0.0.1 : deny
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny

None of which cause NSD to refuse AXFR from my localhost.
    % dig @localhost netsec.tislabs.com. Axfr

I've also tried using /etc/hosts.deny per a 2003 message on this list:

/etc/hosts.deny:
axfr : ALL : deny

/etc/hosts.deny:
axfr-netsec.tislabs.com. : ALL : deny
axfr : ALL : deny

But nothing works. Anybody have a working example of denying all AXFRs?
-- 
Wesley Griffin <wgriffin at sparta.com>





More information about the nsd-users mailing list