Strony

piątek, 9 kwietnia 2010

axfr shouldn't be public!

Time has come. Time to make some dns zones public. I really understand, that this info can make a problem to some DNS services providers, but doing nothing is worse, and it’s almost impossible to notice all related people.

In my opinion - this is serious security issue, when anybody can get and examine whole DNS zone. It is possible - when you allow everyone to get AXFR transfer which should be normally provided only to slaves.


“Okay, so what do you think you're Elvis or something (…) That don't impress me much!”

Is this issue common? I tested some DNS servers, most of them were selected random, but I also checked big DNS providers. Some of them has this issue at all servers, some only on few. But almost 30% of randomly audited were vulnerable - sounds bad.

Example:
Domain secure.net (real example), has 2 DNS servers: ns1.secure.net and ns2.secure.net.
Let’s ask for it’s zone:
$ dig secure.net @ns2.secure.net axfr
And see what happened:
 (it is just few lines from whole zone which has about 60 lines)
Ok, take something bigger one, Warsaw University of Technology (uw.edu.pl). Domain has 4 DNS servers:
  • arwena.nask.waw.pl
  • io.coi.pw.edu.pl
  • europa.coi.pw.edu.pl
  • dns.fuw.edu.pl
First three doesn’t have problem, and they give us:
Transfer failed.
But last one provided by Faculty of Physics at the University of Warsaw (dns.fuw.edu.pl) is vulnerable and we can see almost 400 records. Because we know - that this is vulnerable we can dig deeper. We can check domains using this as name server at: http://www.robtex.com/dns/dns.fuw.edu.pl.html#shared.

This is only two of checked zones. Believe me or not, but there were more than few which has more than 20000 records in their zones.

Because of fact that some information like DNS zones shouldn’t in my opinion be visible - I’ve just wrote e-mails to hostmasters of all DNS servers which has problems (and I caught it). So - prevent being caught red-handed. Check your DNS configuration immediately.

---/10-04-2010/---
Because of the fact, that some hostmasters checked their configuration I can write it, that problem was as example with art.pl (about 19000 records visible) and krakow.pl (16000 records). It should shed some light on significance of case.

0 komentarze: