With the approval of ballot 187 the Certificate Authorities must check and respect the CAA records that are found in the DNS of a domain. This additional check is active since September 17, 2017. CAA stands for Certification Authority Authorization and is a standard designed to help the owners of a domain by preventing the issuance of rogue or unauthorized SSL/TLS certificates for that domain.
There are many things told about zone transfers and why it is important to restrict the use of zone transfers. The DNS zone can contain sensitive information like DKIM keys or information about the internal infrastructure. And because of this I actually thought it was not so common anymore.
A while ago I ran into a nameserver with an insecure zone transfer (AXFR) setting. Allowing zone transfers for the whole world will also allow the bad guys extract useful information from a zone that can be used to create a map of the network infrastructure. The bad guys can use this information to plan their attacks. Then I got curious about the number of nameservers that still offer the zone transfer option today.
My plan was to check all the nameservers that are used by the .NL gTLD. For this I started with a list of 3.3 million .NL domain names. I also wanted know the nameservers of domains that are related to the .NL domain names. You can have a domain like: yourcompany.nl which has is own set of nameservers, but you can use the mail servers of your ISP onder the ISP domain: yourisp.eu which has its own set of nameservers. So the domain yourisp.eu is related to yourcompany.nl for the email service that you user and that can also be interesting for possible attackers. I also did this for the domains of the nameserver hosts.
All together I found a total of 5,469,224 domain names. For each domain I extracted the nameservers from the DNSwhich I tested in combination with this domain.
The period I tested this was December 2017.
In total I found 72,656 nameservers. In these nameservers I found 10,524 nameservers on which I could perform a zone-transfer. So 12.65 % of all checked nameservers are leaking zone information of their domains.
When we take a look at the .NL domains. From the total of 3,271,088 domains that I tested it was possible to do an AXFR on 216,953 domains thru (one of) its nameservers. That is 6.6% of all .NL domains.
Later on, I did the same tests on 1,038,148 .BE domain names from Belgium and 2,212,192 .FR domain names for France. They had a better score. From the .BE domain names, 5.2% allowed an AXFR and from the .FR domain names was this 3.0% that allowed AXFR.
Some notable situations
A big domain trading company had about 47,000 domain’s on 2 of their nameservers. I notified the company, and they secured the zone-transfers on the nameservers.
One of The Netherlands biggest ISP’s was leaking information of about 16,000 domains on one of their nameservers. They secured transfers the same day that I notified them.
There was also a well known MSP/Cloud provider leaking zones with very much interesting information of about 3700 domains on their nameservers. They noted my AXFR requests in their SOC and closed the zone transfer possibility almost the same time I notified them.
And last but not least, there is a large (and cheap) web hosting provider in The Netherlands. In their network I found 227 nameservers leaking information about 74,512 domains!!!
DNS enumeration is part of the reconnaissance phase (which is the first phase) of an attack. If you manage your own nameservers you can monitor them for AXFR requests from not trusted hosts. With this information you can be warned of a possible attack on your digital infrastructure.
If you want to check if one of your nameservers has zone transfers enabled, you can go this website and fill in your domain name: https://hackertarget.com/zone-transfer/.
How to secure zone transfers
Most nameservers have multiple options to secure zone transfers. The most common options are:
- Disable zone transfers completely (us an other method to synchronize)
- IP address filter / ACL
- TSIG (Transaction SIGnature) that works as a shared secret
- A combination of an IP access list and a TSIG
Choose the method that is safe and also works with your DNS infrastructure.
I will try to contact most of the owners of the nameservers and hope they will close down zone-transfers. Maybe I run this scan again in six months and compare the results.
For our Dutch readers: Nameservers lekken gevoelige informatie .
Links to background information:
Many services are depending on DNS and it is getting more and more used for serving information. Sometime’s companies are putting some inside information in their DNS that others do not need to know.
Maybe the information that is in the DNS looks innocent, but if you are a target for criminal hackers, or state sponsored hackers, the can get very much information from your nameserver. That is why we advice to disable AXFR for the whole world. If you have AXFR enabled, you can leak information of you digital infrastructure that can be used by criminals to get a more complete overview of your company.
I do not know if it’s “by design”, but the fourth nameserver of DNS provider EasyDNS.com is accepting AXFR commands. I asked them multiple times if why this is open for everyone, but the do not respond to my e-mail.
With a simple dig command, we can get the whole DNS zone of EasyDNS, or one of it’s customers.
sebastian@nw4allws01:~$ dig @18.104.22.168 easydns.com -t AXFR; <<>> DiG 9.10.3-P4-Ubuntu <<>> @22.214.171.124 easydns.com -t AXFR; (1 server found) ;; global options: +cmdeasydns.com. 300 IN SOA dns1.easydns.com. zone.easydns.com. 1509041294 3600 600 1209600 300 easydns.com. 300 IN NS dns1.easydns.com. easydns.com. 300 IN NS dns2.easydns.net. easydns.com. 300 IN NS dns3.easydns.org. easydns.com. 300 IN NS dns4.easydns.info. easydns.com. 300 IN MX 0 mx.easymail.ca. easydns.com. 300 IN A 126.96.36.199 easydns.com. 300 IN TXT "google-site-verification=9lCtJVFGHp_WlDRhU9LpYB84rGYjlh-SMjxGUgpP6Eg" ... snip...
dig @188.8.131.52 toronto.ca -t AXFR dig @184.108.40.206 certum.pl -t AXFR
Background information: https://www.us-cert.gov/ncas/alerts/TA15-103A
Update: They fixed it 10 minutes after sharing.