Bugtraq mailing list archives
Full zone information disclosure on top level domain name servers
From: Max <rusmir () tula net>
Date: Fri, 18 Oct 2002 14:28:23 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: Full zone information disclosure on top level domain name servers ================================================================= Introduction: The Domain Name System described in rfc 1034/1035 includes full zone transfer (AXFR) specification. While this mechanism is useful to replicate zone information between servers, it can also be used to gather various information for mass mailing, distributed DoS attacks, and other malicious purposes. Problem: Many of top level domain (TLD) DNS servers do not implement any restrictions on AXFR query. Impact: AXFR data can be used to find mail relays, proxy servers, hosts with specific operating systems or applications installed. AXFR data for some TLDs contains hundreds of thousands or records, and host names are often quite meaningful. A malicious person can select thousands of specific servers without spending a lot of time scanning networks. Also, multiple AXFR queries can be used to perform DoS attack on DNS server itself. Solution: An access list should be used to prevent unauthorized zone transfers. For bind version 8 and 9 this can be accomplished by setting allow-transfer option appropriately. Credits: I'll keep all the credits. Feedback is welcome at "rusmir AT tula DOT net" Appendix: Fortunately, none of .com/org/edu/net/mil/gov servers allow AXFR. The following is a list of most recognizable TLDs that allow AXFR on at least one of their servers (as of October 18, 2002). The list is sorted alphabetically. AR AU (can't believe... kangaroo.au is not registered yet) BG CU (Well, communism is based on share-everything idea :) CZ EE (If this list was sorted by region, baltic countries would be on top) EG ES (Corrida de Hackers ?) FI HU IL (Probably does'n allow AXFR on Saturdays) IN (Don't worry, guys, .PK does it too...) IT (5% of hostnames contain "pizza" or "pasta") MY NO PK (India does it, so we should, too!) SE SG RU ( #1 source for spammers, over 600,000 records!) TR UA ZA Recently registered TLDs: .INT .MUSEUM .PRO -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9sHz+8mCpXsrcXpwRAkH5AJ4xkVvdp3Mwg8Nwyx9/8zCGKp8lrACgukeA k6/36LPbMc4ATUQ0EVwgKzo= =o4Fa -----END PGP SIGNATURE-----
Current thread:
- Full zone information disclosure on top level domain name servers Max (Oct 18)
- <Possible follow-ups>
- Re: Full zone information disclosure on top level domain name servers Måns Nilsson (Oct 19)
- Re: Full zone information disclosure on top level domain name servers Jim Reid (Oct 21)