NCCIC / US-CERT
National Cyber Awareness System:
TA15-103A: DNS Zone Transfer AXFR Requests May Leak Domain Information
04/13/2015 03:36 PM EDT
Original release date: April 13, 2015
Systems Affected
Misconfigured Domain Name System (DNS) servers that respond to global
Asynchronous Transfer Full Range (AXFR) requests.
Overview
A remote unauthenticated user may request a DNS zone transfer from a
public-facing DNS server. If improperly configured, the DNS server may respond
with information about the requested zone, revealing internal network structure
and potentially sensitive information.
Description
AXFR is a protocol for ôzone transfersö for replication of DNS data across
multiple DNS servers. Unlike normal DNS queries that require the user to know
some DNS information ahead of time, AXFR queries reveal subdomain names [1].
Because a zone transfer is a single query, it could be used by an adversary to
efficiently obtain DNS data.
A well-known problem with DNS is that zone transfer requests can disclose
domain information; for example, see CVE-1999-0532 and a 2002 CERT/CC white
paper [2][3]. However, the issue has regained attention due to recent Internet
scans still showing a large number of misconfigured DNS servers. Open-source,
tested scripts are now available to scan for the possible exposure, increasing
the likelihood of exploitation [4].
Impact
A remote unauthenticated user may observe internal network structure, learning
information useful for other directed attacks.
Solution
Configure your DNS server to respond only to zone transfer (AXFR) requests from
known IP addresses. Many open-source resources give instructions on
reconfiguring your DNS server. For example, see this AXFR article for
information on testing and fixing the configuration of a BIND DNS server.
US-CERT does not endorse or support any particular product or vendor.
References
[1] How the AXFR Protocol Works
[2] Vulnerability Summary for CVE-1999-0532
[3] Securing an Internet Name Server
[4] Scanning Alexa's Top 1M for AXFR
Revision History
April 13, 2015: Initial Release
------------------------------------------------------------------------------
This product is provided subject to this Notification and this Privacy & Use
policy.
------------------------------------------------------------------------------
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates
SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help
-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW
Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery
--
Guardien Fide :^)
Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1
--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)
|
