[NEWS] Full Zone Information Disclosure on Top Level Domain Name Servers

From: support@securiteam.com
Date: 10/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 21 Oct 2002 20:18:14 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Full Zone Information Disclosure on Top Level Domain Name Servers
------------------------------------------------------------------------

SUMMARY

The Domain Name System described in RFC 1034/1035 includes full zone
transfer (AXFR) specification. While this mechanism is useful to replicate
zone information between servers, it can also be used to gather various
information for mass mailing, distributed DoS attacks, and other malicious
purposes.

DETAILS

Problem:
Many of top level domain (TLD) DNS servers do not implement any
restrictions on AXFR query.

Impact:
AXFR data can be used to find mail relays, proxy servers, hosts with
specific operating systems or applications installed. AXFR data for some
TLDs contains hundreds of thousands or records, and host names are often
quite meaningful. A malicious person can select thousands of specific
servers without spending a lot of time scanning networks. Also, multiple
AXFR queries can be used to perform DoS attack on DNS server itself.

Solution:
An access list should be used to prevent unauthorized zone transfers. For
bind version 8 and 9 this can be accomplished by setting allow-transfer
option appropriately.

Appendix:
Fortunately, none of .com/org/edu/net/mil/gov servers allow AXFR. The
following is a list of most recognizable TLDs that allow AXFR on at least
one of their servers (as of October 18, 2002). The list is sorted
alphabetically.

AR
AU
BG
CU
CZ
EE
EG
ES
FI
HU
IL
IN
IT
MY
NO
PK
SE
SG
RU
TR
UA
ZA

Recently registered TLDs:

INT
MUSEUM
PRO

ADDITIONAL INFORMATION

The information has been provided by <mailto:rusmir@tula.net> Max.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages