Full zone information disclosure on top level domain name servers

From: Max (rusmirat_private)
Date: Fri Oct 18 2002 - 14:28:23 PDT

Next message: bladeblaat_private: "Re: 3Com TelnetD COMPLETE CODE"

Previous message: Alan DeKok: "Re: Ambiguities in TCP/IP - firewall bypassing"
Next in thread: Måns Nilsson: "Re: Full zone information disclosure on top level domain name servers"
Reply: Måns Nilsson: "Re: Full zone information disclosure on top level domain name servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:

Full zone information disclosure on top level domain name servers
=================================================================

Introduction:

The Domain Name System described in rfc 1034/1035 includes full zone
transfer (AXFR) specification. While this mechanism is useful to replicate
zone information between servers, it can also be used to gather various
information for mass mailing, distributed DoS attacks, and other malicious
purposes.

Problem:

Many of top level domain (TLD) DNS servers do not implement any restrictions
on AXFR query.

Impact:

AXFR data can be used to find mail relays, proxy servers, hosts with specific
operating systems or applications installed. AXFR data for some TLDs contains
hundreds of thousands or records, and host names are often quite meaningful.
A malicious person can select thousands of specific servers without spending
a lot of time scanning networks. Also, multiple AXFR queries can be used to
perform DoS attack on DNS server itself.

Solution:

An access list should be used to prevent unauthorized zone transfers.
For bind version 8 and 9 this can be accomplished by setting allow-transfer
option appropriately.

Credits:

I'll keep all the credits. Feedback is welcome at "rusmir AT tula DOT net"


Appendix:

Fortunately, none of .com/org/edu/net/mil/gov servers allow AXFR.
The following is a list of most recognizable TLDs that allow AXFR on
at least one of their servers (as of October 18, 2002).
The list is sorted alphabetically.

AR
AU (can't believe... kangaroo.au is not registered yet)
BG
CU (Well, communism is based on share-everything idea :)
CZ
EE (If this list was sorted by region, baltic countries would be on top)
EG
ES (Corrida de Hackers ?)
FI
HU
IL (Probably does'n allow AXFR on Saturdays)
IN (Don't worry, guys, .PK does it too...)
IT (5% of hostnames contain "pizza" or "pasta")
MY
NO
PK (India does it, so we should, too!)
SE
SG
RU ( #1 source for spammers, over 600,000 records!)
TR
UA
ZA

Recently registered TLDs:

.INT
.MUSEUM
.PRO

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9sHz+8mCpXsrcXpwRAkH5AJ4xkVvdp3Mwg8Nwyx9/8zCGKp8lrACgukeA
k6/36LPbMc4ATUQ0EVwgKzo=
=o4Fa
-----END PGP SIGNATURE-----

Next message: bladeblaat_private: "Re: 3Com TelnetD COMPLETE CODE"
Previous message: Alan DeKok: "Re: Ambiguities in TCP/IP - firewall bypassing"
Next in thread: Måns Nilsson: "Re: Full zone information disclosure on top level domain name servers"
Reply: Måns Nilsson: "Re: Full zone information disclosure on top level domain name servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 20:43:57 PDT