TA15-103A: DNS Zone Transfer AXFR Requests May Leak Domain Information

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA15-103A: DNS Zone Transfer AXFR Requests May Leak Domain Information [ https://www.us-cert.gov/ncas/alerts/TA15-103A 
] 04/13/2015 03:36 PM EDT 
Original release date: April 13, 2015

Systems Affected

Misconfigured Domain Name System (DNS) servers that respond to global Asynchronous Transfer Full Range (AXFR) requests.

Overview

A remote unauthenticated user may request a DNS zone transfer from a public-facing DNS server. If improperly 
configured, the DNS server may respond with information about the requested zone, revealing internal network structure 
and potentially sensitive information.

Description

AXFR is a protocol for “zone transfers” for replication of DNS data across multiple DNS servers. Unlike normal DNS 
queries that require the user to know some DNS information ahead of time, AXFR queries reveal subdomain names [1] [ 
http://cr.yp.to/djbdns/axfr-notes.html ]. Because a zone transfer is a single query, it could be used by an adversary 
to efficiently obtain DNS data.  

A well-known problem with DNS is that zone transfer requests can disclose domain information; for example, see 
CVE-1999-0532 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0532 ] and a 2002 CERT/CC white paper [ 
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=52493 ] [2] [ 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0532 ][3] [ 
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=52493 ]. However, the issue has regained attention due to 
recent Internet scans still showing a large number of misconfigured DNS servers. Open-source, tested scripts are now 
available to scan for the possible exposure, increasing the likelihood of exploitation [4] [ 
https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/ ].

Impact

A remote unauthenticated user may observe internal network structure, learning information useful for other directed 
attacks.

Solution

Configure your DNS server to respond only to zone transfer (AXFR) requests from known IP addresses. Many open-source 
resources give instructions on reconfiguring your DNS server. For example, see this AXFR article  [ 
https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/ ]for information on testing and fixing the 
configuration of a BIND DNS server. US-CERT does not endorse or support any particular product or vendor.

References

  * [1] How the AXFR Protocol Works [ http://cr.yp.to/djbdns/axfr-notes.html ] 
  * [2] Vulnerability Summary for CVE-1999-0532 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0532 ] 
  * [3] Securing an Internet Name Server [ https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=52493 ] 
  * [4] Scanning Alexa's Top 1M for AXFR [ https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/ ] 

Revision History

  * April 13, 2015: Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]