Show threadJdeBPOct 17

@unlambda @whitequark

The root and a few of its direct and indirect subdomains have publicly available data.

% tcp-socket-connect lax.xfr.dns.icann.org 53 axfr-get uri.arpa uri uri.tmp

There is a list of these.

https://news.ycombinator.com/item?id=44318136

#DNS #AXFR #Estonia

How to access DNS zone data for the different top-level domains | Hacker News

NLnet LabsAug 28, 2024
When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375
XFR response processing by ximon18 · Pull Request #375 · NLnetLabs/domain

Based on code in the xfr branch which should be replaced by this code, in order to split PR #335 into several smaller PRs. Subsequent PRs will build on this to: Update zones based on the events ou...

GitHub
Damien Goutte-GattatMay 10, 2023

I’ve received on my postmaster@ address a message from some security researchers warning me of the “insecure” #DNSSEC configuration of my domain, so for the record:

My domain (incenp.org) is configured to use #NSEC, and not #NSEC3, on purpose. This is not a misconfiguration. I weighed the pros and cons of NSEC3, and decided it was just not worth it.

Yes, people could use NSEC records to enumerate all the DNS records of my zone. So what?

Usually I am not a fan (and that’s an euphemism) of the “if you have nothing to hide, you have nothing to fear” argument, but in this case, there is really nothing to hide in my DNS zone. I would happily give a list of all the records (or even the original master zone file) to anyone who asks for it.

Actually last time I checked, one of the slave DNS servers I use was even configured to allow #AXFR requests from anywhere, and I never bothered to contact the admin of that server to ask him to do anything about it. So if you want the entirety of my zone’s records, don’t waste your time mounting a NSEC enumeration attack, just ask the right server.

BenNov 28, 2022
We all hate #DNS, as it is the root of all evil. But, I have a #PowerDNS server here at Home that is managing all my domains. Now I want you all to be able to use the amazing domains I own like ben-on-vms.com. Should I replicate the #PowerDNS backend using #MySQL or #AXFR. The primary server is here at my home and the secondaries will be connected over a #wireguard #vpn. #vExpert #vCommunity #Homelab
LemmingSep 26, 2020

Sometimes my primary name-server has problems sending notify to the secondaries. This little script helped me by doing it manually.

https://github.com/hirose31/send-dns-notify/blob/master/send-dns-notify

#DNS #AXFR

hirose31/send-dns-notify

send DNS NOTIFY message. Contribute to hirose31/send-dns-notify development by creating an account on GitHub.

bn4tApr 25, 2020

In case you ever need to test an #AXFR implementation or just want to play around with zone transfers:

I created a thing for such use cases: https://icanhazaxfr.com