Home page logo

pen-test logo Penetration Testing mailing list archives

Re: question regarding nessus plug-in 10595 DNS AXFR
From: Mike Hoskins <mike () adept org>
Date: Tue, 24 Feb 2004 18:26:37 -0800 (PST)

On Tue, 24 Feb 2004, cissper wrote:
In one of my scans, nessus reported a vulnerability allowing DNS zone
transfers (see below).

first, i'd like to point out that prominent members from the DNS
development community have stated that denying zone xfers is little more
than security through obscurity.  i personally do not allow zone xfers
from non-trusted hosts (and old habit, i'm in the camp that believes
obscurity is OK as only a part of "security in depth", afterall the
military uses camoflauge), but keep in mind that this "vulnerability" can
be exploited in other ways.  i.e. generating all possible text string
queries (there are a finite amount, perl on modern CPUs is quite fast) and
watching the return code would conceivably allow people to determine the
same information without actually doing a zone xfer.  of course such
activity could be 'caught' in various ways.  this is most likely why
nessus rates this as 'medium' risk.

that said, i'm not sure precisely what the plugin is doing...  but there
are a couple things you could check.  first, it may simply see TCP port 53
open on the name server in question.  TCP port 53 is used for zone xfer,
as i'm sure you know, but also used for other things...  so i would hope
this is not what the plugin is doing.  to see if the plugin is actually
attempting a zone xfer (if it is not allowed via nslookup/dig as you
mention), check the logs on the name server in question.  for example, if
i use dig against a server configured to deny zone xfers as follows:

dig @server somedomain.tld axfr

then i will see (in /var/log/messages, or where ever your name server is
logging, i'm assumming BIND here which is admittedly probably not a good

Feb 24 18:05:15 server named[328]: denied AXFR from [a.b.c.d].port
for "somedomain.tld" IN (acl)

or something similar...  doing a `tail -f /var/log/messages` while running
nessus against the server may be of use.  you'll want to ensure such
attempts are being logged anyway, so you know if/when people go poking
around your name servers.  (most frequent query on my external servers of
late has been the infamous '.'.)

I have tried to verify this vulnerability manually with nslookup and
other tools. Apparently
a manual DNS zone transfer did not work!

were nessus and nslookup ran from the same machine?  perhaps an acl is
only allowing axfr/ixfr from specific hosts/subnets?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]