[dns-operations] Stunning security discovery: AXFR may leak information

Mike Hoskins (michoski) michoski at cisco.com
Tue Apr 14 19:00:35 UTC 2015


-----Original Message-----
From: Marjorie <marjorie at id3.net>
Date: Tuesday, April 14, 2015 at 2:47 PM
To: Samson Oduor <samson.oduor at accesskenya.com>, Jelte Jansen
<jelte.jansen at sidn.nl>
Cc: Paul Wouters <paul at nohats.ca>, "dns-operations at dns-oarc.net"
<dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] Stunning security discovery: AXFR
may	leak	information

>This is an interesting discussion actually.
>It's all about a rather benign but widespread misconfiguration.
>
>Not long ago, I ran a survey against a small ccTLD and tested each
>domain name for AXFR.
>The ccTLD zone file itself having been obtained - you guessed it - by
>way of zone transfer...
>
>Surprisingly, AXFR requests were honored by one server out of seven or
>something.
>So the prevalence of AXFR-enabled DNS servers is still quite high. I
>would guess this is the result of using default configuration settings
>from older Bind versions, but I didn't fingerprint the DNS software
>versions.
>
>Still many seem to consider that zone transfer is a moot point anyway,
>because the zone file can be reconstructed by scanning known IP ranges,
>then resolving hostnames.
>I disagree with this.  There is no valid reason for exposing your
>network topology to the outside world. You are only making the job
>easier for potential attackers.

Yes agreed.  The finding is nothing new, and it's not a weakness in AXFR
itself as others have rightly pointed out...so the timing and way in which
it was reported were less than ideal...but your point is spot on.  Many
speak against "security by obscurity" but I think that is often taken too
far -- in some ways blocking AXFR is no different than DMZs and
firewalls...hey, why not have everything on public IP with all ports
exposed?  Security is an onion, and as many layers as you can put between
you and the adversary are generally good assuming the "obscurity" is not
adding unnecessary complexity or other hidden cost (proper config of a DNS
server is quite easy and can be automated).





More information about the dns-operations mailing list