Penetration Testing mailing list archives
Re: question regarding nessus plug-in 10595 DNS AXFR
From: Mike Hoskins <mike () adept org>
Date: Tue, 24 Feb 2004 18:26:37 -0800 (PST)
On Tue, 24 Feb 2004, cissper wrote:
In one of my scans, nessus reported a vulnerability allowing DNS zone transfers (see below).
first, i'd like to point out that prominent members from the DNS development community have stated that denying zone xfers is little more than security through obscurity. i personally do not allow zone xfers from non-trusted hosts (and old habit, i'm in the camp that believes obscurity is OK as only a part of "security in depth", afterall the military uses camoflauge), but keep in mind that this "vulnerability" can be exploited in other ways. i.e. generating all possible text string queries (there are a finite amount, perl on modern CPUs is quite fast) and watching the return code would conceivably allow people to determine the same information without actually doing a zone xfer. of course such activity could be 'caught' in various ways. this is most likely why nessus rates this as 'medium' risk. that said, i'm not sure precisely what the plugin is doing... but there are a couple things you could check. first, it may simply see TCP port 53 open on the name server in question. TCP port 53 is used for zone xfer, as i'm sure you know, but also used for other things... so i would hope this is not what the plugin is doing. to see if the plugin is actually attempting a zone xfer (if it is not allowed via nslookup/dig as you mention), check the logs on the name server in question. for example, if i use dig against a server configured to deny zone xfers as follows: dig @server somedomain.tld axfr then i will see (in /var/log/messages, or where ever your name server is logging, i'm assumming BIND here which is admittedly probably not a good idea), Feb 24 18:05:15 server named[328]: denied AXFR from [a.b.c.d].port for "somedomain.tld" IN (acl) or something similar... doing a `tail -f /var/log/messages` while running nessus against the server may be of use. you'll want to ensure such attempts are being logged anyway, so you know if/when people go poking around your name servers. (most frequent query on my external servers of late has been the infamous '.'.)
I have tried to verify this vulnerability manually with nslookup and other tools. Apparently a manual DNS zone transfer did not work!
were nessus and nslookup ran from the same machine? perhaps an acl is only allowing axfr/ixfr from specific hosts/subnets? -m --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- question regarding nessus plug-in 10595 DNS AXFR cissper (Feb 24)
- Re: question regarding nessus plug-in 10595 DNS AXFR Mike Hoskins (Feb 25)
- Re: question regarding nessus plug-in 10595 DNS AXFR Ariel Martinez (Feb 25)
- Re: question regarding nessus plug-in 10595 DNS AXFR Pedro Andujar (Feb 25)
- <Possible follow-ups>
- Re: question regarding nessus plug-in 10595 DNS AXFR Travis Schack (Feb 25)