US-CERT Warns of Issues With DNS Zone Transfer Requests

2015-04-14T10:48:00
ID US-CERT-WARNS-OF-ISSUES-WITH-DNS-ZONE-TRANSFER-REQUESTS/112225
Type threatpost
Reporter Dennis Fisher
Modified 2015-04-16T20:22:37

Description

The US-CERT is warning administrators and network operators that a misconfiguration issue with some DNS servers that has been known about for more than 15 years and can give attackers detailed information about DNS zones is coming back around thanks to new scans that show a high number of servers vulnerable to the issue.

The problem is in the way that some DNS servers will respond to zone transfer requests from other servers. Primary DNS servers are set up to replicate specific information about their zones to secondary DNS servers, and if the primary servers don’t authenticate the requests they can hand over detailed domain information to an attacker.

The Asynchronous Transfer Full Range protocol is designed to handle these requests, and if the DNS server responding to the request isn’t configured correctly, attackers can get a good picture of what a specific target domain looks like by sending a single query to the server.

“A remote unauthenticated user may request a DNS zone transfer from a public-facing DNS server. If improperly configured, the DNS server may respond with information about the requested zone, revealing internal network structure and potentially sensitive information,” the US-CERT advisory says.

Recently, a firm in Germany took a look at the problem and performed a scan of the Alexa top one million most popular sites to see how many of them had misconfigured DNS servers that give up detailed domain information. The researchers at Internetwache.org found that more than 72,000 unique domains had issues, including more than 48,000 individual nameservers. The vast majority of those servers are in the .com TLD.

“We were very disappointed to see some well and not so well known hosting companies running misconfigured nameservers. Grabbing some random samples from the data lead to the conclusion that information of the companies or it’s customers could be accessed unauthenticated,” Interntwache said in a post on the results of the scans.

The good news is that fixing the problem is relatively easy.

“The easiest way to fix this issue is to re-check your dns server’s configuration file. Make sure that the nameservers only allow AXFR to subsidiary nameservers and that these aren’t allowed to answer AXFR requests,” Internetwache.org said in the post.