- 1. From what I understood, secondary MX (rollernet's MX) kicks in in the case that the primary MX server is offline. However, I still see mails being redirected to the secondary MX even if the primary MX is online, as listed in the mail logs. Is it normal for secondary MX to behave as such?
- 2. I tried using the secondary nameserver service to some of my domains but I see error messages in the logs, apparently about the difficulty of copying the information from the master nameserver:
I tried contacting my host and they said that they do not allow AXFR transfers. Here is their reply:
Code: Select all
transfer of domain.com/IN from xx.xx.xx.xx#53: failed to connect: timed out transfer of domain.com/IN from xx.xx.xx.xx#53: end of transfer transfer of domain.com/IN from xx.xx.xx.xx#53: failed to connect: timed out transfer of domain.com/IN from xx.xx.xx.xx#53: end of transfer zone domain.com/IN: Transfer started. zone domain.com/IN: Transfer started.
I don't get it: if AXFR transfer in dangerous, is there any other way to transfer zone information in-between servers? If my server doesn't allow AXFR transfers, does that mean I don't have any chance in using secondary nameservers?In a typical configuration, the primary server is configured to only allow the addresses of secondary servers to retrieve the zone file from it. Often, however, even these basic address-based authentication mechanisms are not provided and any user can grab the complete zone file for a particular domain using a tool like dig, which can trigger a zone transfer and retrieve this information using its AXFR function.
Of course, advertising a complete directory service for every single host in a network is dangerous, but more dangerous still is when a domain is configured with more information than is even required to perform basic resolution. Sometimes hosts are named after people or ongoing projects, which are useful to attackers in determining the purpose of a system.
This allows a malicious party to perform name-based reconnaissance with great ease. This serves as a first step to gaining information about a target network, and often leads to more in-depth scanning of what the attacker may perceive to be interesting targets.
Another thing is: if AXFR tansfer is dangerous, why do all other services providing secondary nameservers use it?