Misconfigured DNS Servers Vulnerable

Thursday, April 16, 2015 @ 06:04 PM gHale

Information about the internal network structure and other sensitive details can end up revealed from a DNS (domain name system) server by an unauthenticated user just by sending a DNS zone transfer request.

The purpose of a DNS server is to ensure a user reaches the correct web resource by translating the hostname entered in the browser into the IP address corresponding to the machine serving the content.

Brute Force Attacks: Trawling for Passwords
Botnet Morph ‘Every Few Hours’
Global Effort: Botnet Taken Down
Hotel Router Vulnerability Patched

Any change in this system can lead to users going to malicious IPs when entering a correct web address, thus suffering exposure to attacks.

As such, these machines are important in the Internet structure and require special security to prevent attackers from gaining access to the DNS records.

The Asynchronous Transfer Full Range (AXFR) protocol is for replication of DNS data (called a “zone”) across multiple DNS servers. Thus, if the primary server encounters an issue and cannot provide the necessary data, the connection ends up resolved based on information from the other servers.

A security warning from US-CERT (United States Computer Emergency Readiness Team) draws attention to the fact misconfigured, public-facing DNS servers may respond to any zone transfer requests (AXFR queries) with subdomain details that could end up leveraged by an attacker to plan a future attack.

Such a request to a master DNS server should be possible only from a secondary server as it discloses the zone file. If the origin of the request is not a trusted one, a third party could obtain the information.

Apart from taking control of the host and redirecting users to spoofed locations of the legitimate resources, the servers also end up exposed to denial-of-service (DoS) attacks that could prevent users from reaching the intended destination.

The issue with AXFR queries revealing too much is not unknown, but there are DNS servers online that perform zone replication via AXFR and accept requests from unknown IP addresses.

US-CERT also highlights that malicious individuals have an easy way to discover vulnerable machines via open-source tools and scripts.

The recommended action is to configure the servers to reply to AXFR requests originating only from trusted IP addresses.

According to a research from Alexa, in late March there were more than 72,000 unique domains and over 48,000 unique nameservers suffering from the issue.

Leave a Reply

You must be logged in to post a comment.