[dns-operations] Stunning security discovery: AXFR may leak information

Marjorie marjorie at id3.net
Tue Apr 14 18:47:04 UTC 2015

This is an interesting discussion actually.
It's all about a rather benign but widespread misconfiguration.

Not long ago, I ran a survey against a small ccTLD and tested each
domain name for AXFR.
The ccTLD zone file itself having been obtained - you guessed it - by
way of zone transfer...

Surprisingly, AXFR requests were honored by one server out of seven or
So the prevalence of AXFR-enabled DNS servers is still quite high. I
would guess this is the result of using default configuration settings
from older Bind versions, but I didn't fingerprint the DNS software

Still many seem to consider that zone transfer is a moot point anyway,
because the zone file can be reconstructed by scanning known IP ranges,
then resolving hostnames.
I disagree with this.  There is no valid reason for exposing your
network topology to the outside world. You are only making the job
easier for potential attackers.

I think the biggest issue with zone transfers, is that they may leak
information that cannot be easily guessed otherwise.
Specifically: hostnames declared outside the IP ranges that are known to
the attacker.

For example, company acme.com may have a zone file like this (IP
addresses are of course made up):

IN  SOA ns1.acme.com. hostmaster.acme.com. (
            2015041001 ; serial
            3H ; refresh
            15 ; retry
            1w ; expire
            3h ; minimum
sqlserver    A
mailserver    A
mailserver2    A
sharepoint    A
archive    A
backupserver    A

By looking at the zone file, you now know they have a backup server
( hosted with a third party provider, thus you have one
additional target to try.
Thank you AXFR for helping hackers.

Occasionally I have found sensitive comments in TXT records (HINFO
records are telling too, sometimes).

The bottom line is that unrestricted AXFR is generally evil, except for
researchers of course.AXFR is also nice when you operate a search engine
and want to find as many hosts as possible.

DNS is like webhosting: the majority of the users do not have in-depth
understanding of the mechanisms at work. They just have enough knowledge
to make things run more or less smoothly.

On 14-04-2015 17:52, Samson Oduor wrote:
> On 4/14/2015 6:38 PM, Jelte Jansen wrote:
>> some DNS geeks even enable open AXFR on purpose, btw. Open AXFR is not
>> necessarily a security hole or data leak.
> open AXFR =  good for conducting reconnaissance
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list