How to restrict zone transfers to specific authorized servers only

Question

I recently failed a PCI compliance scan because of the following:

This DNS server allows unrestricted zone transfers. Attackers may be able to use this information to gain knowledge on the structure of your networks to aid in device discovery prior to an actual attack.

And the suggested solution is as follows:

Reconfigure this DNS server to restrict zone transfers to specific authorized servers only.

I am running a dedicated Linux Centos server.

My understanding is that I have to edit the /etc/named.conf file, which I have done and the the relevant part is as follows:

options {
    acl "trusted" {
        127.0.0.1; 
            xxx.xxx.xxx.001; //this is one of the server's ip's
            xxx.xxx.xxx.002; //this is another server's ip
    };

    allow-recursion { 
        trusted;
    };
    allow-notify { 
        trusted;
    };
    allow-transfer { 
        trusted;
    };
};

I then restarted the named service /etc/rc.d/init.d/named restart and requested a re-scan, which failed again for the same reason.

Am I missing something obvious here?

OK, I think I may have found the problem: the acl{} tab should not be under options, but its own tab. Resubmitting for scan...lets hope — JonoB, Nov 26 '11 at 23:59
You can try to initiate a zone transfer from different hosts using `dig -tAXFR @your_nameserver example.com` or `nslookup` and the `ls example.com` command. You will see yourself when they are allowed. — nrolans, Nov 27 '11 at 00:36

score 3 · Answer 1 · answered Nov 26 '11 at 23:49

3

Check the rest of your config file (which you did not post here) to make sure that allow-transfer is not being overridden by the zone configuration in question.

answered Nov 26 '11 at 23:49

Per von Zweigbergk

2,625
2
19
28

How to restrict zone transfers to specific authorized servers only

1 Answers1