Home page logo
/

bugtraq logo Bugtraq mailing list archives

Full zone information disclosure on top level domain name servers
From: Max <rusmir () tula net>
Date: Fri, 18 Oct 2002 14:28:23 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:

Full zone information disclosure on top level domain name servers
=================================================================

Introduction:

The Domain Name System described in rfc 1034/1035 includes full zone
transfer (AXFR) specification. While this mechanism is useful to replicate
zone information between servers, it can also be used to gather various
information for mass mailing, distributed DoS attacks, and other malicious
purposes.

Problem:

Many of top level domain (TLD) DNS servers do not implement any restrictions
on AXFR query.

Impact:

AXFR data can be used to find mail relays, proxy servers, hosts with specific
operating systems or applications installed. AXFR data for some TLDs contains
hundreds of thousands or records, and host names are often quite meaningful.
A malicious person can select thousands of specific servers without spending
a lot of time scanning networks. Also, multiple AXFR queries can be used to
perform DoS attack on DNS server itself.

Solution:

An access list should be used to prevent unauthorized zone transfers.
For bind version 8 and 9 this can be accomplished by setting allow-transfer
option appropriately.

Credits:

I'll keep all the credits. Feedback is welcome at "rusmir AT tula DOT net"


Appendix:

Fortunately, none of .com/org/edu/net/mil/gov servers allow AXFR.
The following is a list of most recognizable TLDs that allow AXFR on
at least one of their servers (as of October 18, 2002).
The list is sorted alphabetically.

AR
AU (can't believe... kangaroo.au is not registered yet)
BG
CU (Well, communism is based on share-everything idea :)
CZ
EE (If this list was sorted by region, baltic countries would be on top)
EG
ES (Corrida de Hackers ?)
FI
HU
IL (Probably does'n allow AXFR on Saturdays)
IN (Don't worry, guys, .PK does it too...)
IT (5% of hostnames contain "pizza" or "pasta")
MY
NO
PK (India does it, so we should, too!)
SE
SG
RU ( #1 source for spammers, over 600,000 records!)
TR
UA
ZA

Recently registered TLDs:

.INT
.MUSEUM
.PRO

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9sHz+8mCpXsrcXpwRAkH5AJ4xkVvdp3Mwg8Nwyx9/8zCGKp8lrACgukeA
k6/36LPbMc4ATUQ0EVwgKzo=
=o4Fa
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault