AXFR can leak sensitive information

Many services are depending on DNS and it is getting more and more used for serving information. Sometime’s companies are putting some inside information in their DNS that others do not need to know.

Maybe the information that is in the DNS looks innocent,  but if you are a target for criminal hackers, or state sponsored hackers, the can get very much information from your nameserver. That is why we advice to disable AXFR for the whole world. If you have AXFR enabled, you can leak information of you digital infrastructure that can be used by criminals to get a more complete overview of your company.

I do not know if it’s “by design”, but the fourth nameserver of DNS provider EasyDNS.com is accepting AXFR commands. I asked them multiple times if why this is open for everyone, but the do not respond to my e-mail.

With a simple dig command, we can get the whole DNS zone of EasyDNS, or one of it’s customers.

Example:

sebastian@nw4allws01:~$ dig @64.68.197.10 easydns.com -t AXFR;
<<>> DiG 9.10.3-P4-Ubuntu <<>> @64.68.197.10 easydns.com -t AXFR;
(1 server found)
;; global options: +cmdeasydns.com. 300 IN SOA dns1.easydns.com. zone.easydns.com. 1509041294 3600 600 1209600 300
easydns.com. 300 IN NS dns1.easydns.com.
easydns.com. 300 IN NS dns2.easydns.net.
easydns.com. 300 IN NS dns3.easydns.org.
easydns.com. 300 IN NS dns4.easydns.info.
easydns.com. 300 IN MX 0 mx.easymail.ca.
easydns.com. 300 IN A 64.68.200.42
easydns.com. 300 IN TXT "google-site-verification=9lCtJVFGHp_WlDRhU9LpYB84rGYjlh-SMjxGUgpP6Eg"
... snip...

Look at the domains toronto.ca and certum.pl. It is not very pretty. Certum is also a CA (certificate authority), so they do need to keep their infrastructure safe!

dig @64.68.197.10 toronto.ca -t AXFR
dig @64.68.197.10 certum.pl -t AXFR

Screenshot from 2017-11-10 13-01-52

Background information: https://www.us-cert.gov/ncas/alerts/TA15-103A

Update: They fixed it 10 minutes after sharing.

easydns-fixed