[Owasp-leaders] Zone transfer

Ralph Durkee rd at rd1.net
Thu Apr 8 09:03:10 EDT 2010


It doesn't make sense for OWASP to use a DNS server that allows zone 
transfers without authentication. This is one of the basics in terms of 
DNS security.
It's not the kind of open that should be OWASP.   If the name servers 
fail in this are there other issues?  We shouldn't we ask about the 
security and then get permission for a test? Most of what we do depends 
on DNS being trusted. 

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Rochester OWASP




Rory McCune wrote:
> On Thu, Apr 8, 2010 at 9:49 AM, OWASP Geneva Chapter
> <antonio.fontes at owasp.org> wrote:
>   
>> On 8 April 2010 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no> wrote:
>>     
>>> Hi
>>> I see this message popping up from time to time on twitter, that owasp.org
>>> is vulnerable to zone transfer.
>>> I guess that’s something we want to fix.
>>> “RT @maxisoler: +1 WTF?! RT: @Jabra: Wtf owasp.org is still vulnerable to
>>> zone transfer!”
>>> Erlend
>>>       
>> Hi Leaders,
>>
>> The initial security requirement dictates that zone content disclosure
>> should be restricted in order to reduce the risk of hidden/internal
>> hosts disclosure (which we could even argue it's a "security by
>> obfuscation" practice).
>>
>> Keeping it open might also mean we did our work correctly, applied
>> basic risk assessment, and stick to our "openness" principle.
>>
>> (okay okay, devil's advocate now heading towards the exit door)
>>
>> Antonio
>>
>>     
> I'd agree in that there shouldn't be "private" information available
> in public DNS as there are other ways (eg, DNS brute-force) to get
> access to that kind of information.
>
> That said, from a PR perspective, it may not look good for us to have
> something present in our security posture which is generally
> considered a "bad thing", so probably worth changing...
>
> my 0.02 of local currency.
>
> cheers
>
> Rory
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100408/c4b2e11a/attachment.html 


More information about the OWASP-Leaders mailing list