AXFR can leak sensitive information

Many services are depending on DNS and it is getting more and more used for serving information. Sometime’s companies are putting some inside information in their DNS that others do not need to know.

Maybe the information that is in the DNS looks innocent,  but if you are a target for criminal hackers, or state sponsored hackers, the can get very much information from your nameserver. That is why we advice to disable AXFR for the whole world. If you have AXFR enabled, you can leak information of you digital infrastructure that can be used by criminals to get a more complete overview of your company.

I do not know if it’s “by design”, but the fourth nameserver of DNS provider is accepting AXFR commands. I asked them multiple times if why this is open for everyone, but the do not respond to my e-mail.

With a simple dig command, we can get the whole DNS zone of EasyDNS, or one of it’s customers.


sebastian@nw4allws01:~$ dig @ -t AXFR;
<<>> DiG 9.10.3-P4-Ubuntu <<>> @ -t AXFR;
(1 server found)
;; global options: 300 IN SOA 1509041294 3600 600 1209600 300 300 IN NS 300 IN NS 300 IN NS 300 IN NS 300 IN MX 0 300 IN A 300 IN TXT "google-site-verification=9lCtJVFGHp_WlDRhU9LpYB84rGYjlh-SMjxGUgpP6Eg"
... snip...

Look at the domains and It is not very pretty. Certum is also a CA (certificate authority), so they do need to keep their infrastructure safe!

dig @ -t AXFR
dig @ -t AXFR

Screenshot from 2017-11-10 13-01-52

Background information:

Update: They fixed it 10 minutes after sharing.