Talk:DNS zone transfer
||This article may be too technical for most readers to understand. (September 2010) (Learn how and when to remove this template message)|
- That's because Answers.com gets its text from Wikipedia. - Technostalgia 16:39, 16 August 2006 (UTC)
Article edited to suit output from popular software package
This article is referenced in the output of the Nessus software vulnerability scanner. Looking at the history, you can see that the content has been changed in order to suit that tool. Specifically, the (almost entirely bogus and discredited) so-called security concerns have been overstated. In reality, there is absolutely no data exposed through zone transfer that cannot be trivially obtained by other means. In reality, there are no denial of service issues specific to zone maintenance traffic in any up-to-date DNS server (although older servers that have many other far more serious vulnerabilities do still exist) because functionally equivalent DOS and DDOS attacks can be performed with normal DNS queries without recourse to AXFR. What's happening here is that consultants who earn money by running Nessus against client sites have a financial incentive to promote misinformation through wikipedia; the more "problems" the consultants find, the more value they appear to provide. I do not think this is an appropriate driver for Wikipedia content, especially when the security concerns are at least exaggerated if not outright false.
Serious NPOV problems
This article is biased in favor of complex database backends to DNS. There is no mention of the decreased reliability that unnecessary complexity brings to simplistic functions like name/address translation. DNS servers that use complex or expensive backends are consistently referred to as "modern" which is a gross misuse of the term; complex database-driven DNS backends exist which are older (and thus less "modern") than recently written (and thus thoroughly "modern") DNS engines that have simple backends. Wikipedia should simply state that some DNS engines are simpler than others and that some use more complex zone transfer mechanisms than those provided by AXFR, preferably with links to articles about those mechanisms, and stop making questionable value judgments that serve only to advertise expensive commercial products.
Allowing AXFR traffic can be a security ENHANCEMENT
Very highly secure sites may permit zone transfers for several reasons. If one makes the fairly safe assumption that prospective attackers will attempt to "case the joint" before attempting intrusion, and the slightly less safe assumption that worms and other automated tools will use the most efficient methods to canvas DNS, a site's bandwidth can be optimized by allowed zone transfers (rather than bandwidth-hogging DNS interrogation which will be the inevitable result of banning AXFR). Additionally a site can trivially detect and respond to unauthorized/unexpected zone transfers, which are much easier to sift from high volumes of DNS traffic than interrogations are, for the obvious reason that tedious interrogations are spaced out over time - usually purposefully - so that they blend into normal traffic in ways that zone transfers simply cannot. In short, AXFRs reveal no data that is not already revealed, and permit detection of reconnaissance that would otherwise be undetectable. The article overstates some people's obsolete contentions about security issues in older software, but presents no dissenting views based on the capabilities of currently available software.
Broad mention of other database replication mechanisms, which ones?
"Nearly universal at one time, it is now becoming less popular in favor of the use of other database replication mechanisms that modern DNS server packages provide"
- I saw the same thing and had the same thought. I deleted the sentence from the lead per "Encyclopedic content must be verifiable." The claim was challenged in 2012 and apparently no one was able to support it using citations. --Marc Kupper|talk 03:44, 19 February 2014 (UTC)