RE: [MLUG] Cable modems working?

["Spurling, Shannon" <EMAIL:PROTECTED>]

Yeah, but shouldn't that really be part of BIND it's self?

Shannon Spurling
WAN Engineer -Specialist

MOREnet, Network Services, Core Network
3212 LeMone Industrial Blvd.
Columbia, MO 65201

Main:(573) 884-7200   Fax:(573)884-6673

EMAIL:PROTECTED
EMAIL:PROTECTED


-----Original Message-----
From: McNutt, Justin M. [mailto:EMAIL:PROTECTED]
Sent: Monday, December 03, 2001 9:22 AM
To: EMAIL:PROTECTED
Subject: RE: [MLUG] Cable modems working?


Actually, as far as the zone transfers are concerned, it can be
automated.
One need only allow zone transfers to servers that have NS records.  NS
records can be found and added to named.conf automatically by a simple
cron
job.

At least that's how I'm planning to do it, with the twist that one extra
name server will be added (which equates to a "short list" of one
hard-coded
address).

--J

> -----Original Message-----
> 
> DNS poisoning has to be difficult. You would have to compromise a
> primary server, or forge messages from it in such a way as to 
> allow you
> to appear as the primary source for the information.
> As for recon, the DNS directory is a public record. Think of 
> it like the
> phone book. If you don't want to be bothered, don't be listed. That
> still wouldn't protect you from war dialing (scanning), but if your
> worried about giving away information in the public record, 
> don't list.
> There are services that won't work unless they can see your caller ID
> (DNS verification), but if your unlisted you can't use them. If you
> think about it, the whole zone transfer limiting thing is a 
> bit stupid.
> It's a lot of work to make them use the public phone book, instead of
> getting a copy from the phone company. The certificates are a 
> different
> matter. That's a good idea in order to prevent poisoning by spoofing. 
> Zone transfers are supposed to be unidirectional, and they should be
> logged (Easy to do). On a large, very active name server, 
> it's going to
> be practically impossible to maintain a list of servers allowed to do
> zone transfers manually. If this is a really serious problem, they
> should make BIND so that it only allows transfers to servers listed in
> the NS records by default. They haven't, so I'm guessing that 
> it's not a
> big problem for them.
> 
> Shannon Spurling
> WAN Engineer -Specialist
> 
> MOREnet, Network Services, Core Network
> 3212 LeMone Industrial Blvd.
> Columbia, MO 65201
> 
> Main:(573) 884-7200   Fax:(573)884-6673
> 
> EMAIL:PROTECTED
> EMAIL:PROTECTED
> 
> 
> -----Original Message-----
> From: Brent Deterding [mailto:EMAIL:PROTECTED]
> Sent: Sunday, December 02, 2001 10:02 PM
> To: EMAIL:PROTECTED
> Subject: RE: [MLUG] Cable modems working?
> 
> 
> There's always DNS poisoning. It's nailed some high-profile places
> (Yankees,
> Hillary, etc.).
> 
> The real risk is reconnaissance, but recon is the name of the
> open-environment
> game such as a University
> 
> -- Brent
> 
> -----Original Message-----
> From: EMAIL:PROTECTED
> [mailto:EMAIL:PROTECTED]On Behalf Of McNutt, Justin M.
> Sent: Sunday, December 02, 2001 8:19 AM
> To: EMAIL:PROTECTED
> Subject: RE: [MLUG] Cable modems working?
> 
> 
> > I don't see why they wouldn't work.  I'm at U Minn, but Mizzou's DNS
> > server is working for me...
> >
> > # nslookup yahoo.com 128.206.2.252
> >
> > Server:  noc.missouri.edu
> > Address:  128.206.2.252
> >
> > Non-authoritative answer:
> > Name:    yahoo.com
> > Addresses:  216.115.108.245, 216.115.108.243
> >
> >
> > Are missouri.edu DNS servers configured so that they don't
> > work for @home?
> 
> No, at least not for the moment.
> 
> 128.206.2.252 will *always* work for looking up .missouri.edu,
> .mizzou.edu,
> and 206.128.in-addr.arpa.  That's its function.  There will soon be
> another
> server (probably 128.206.2.240) that does the same thing.
> 
> 128.206.10.3 will not be accessible from the outside by this summer.
> 150.199.1.11 (argus.more.net) will probably answer queries 
> for you, but
> it
> will no longer be an authoritative source.
> 
> I've thought about having the 128.206.2.* name servers reject queries
> FROM
> outside hosts FOR outside names, but I don't yet think it's worth the
> trouble.  While I don't necessarily like the idea of providing name
> service
> for potentially any host on the Internet ("there's a *lot* of 
> Internet,
> as
> my boss says), we don't *currently* have that much of a load 
> problem on
> 128.206.2.252, and that load will only decrease with some of 
> the changes
> I
> have planned for the near future.
> 
> --J
> --
> To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
> 
> Archives are available at http://mlug.missouri.edu/list-archives/
> 
> --
> To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
> 
> Archives are available at http://mlug.missouri.edu/list-archives/
> --
> To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
> 
> Archives are available at http://mlug.missouri.edu/list-archives/
> 
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/