Dns Zone Transfers

GovernmentSecurity.org > System Security > Networking Security / Firewall / IDS / VPN / Routers

myth

Jun 26 2005, 08:39 AM

Just a quick little note on DNS Zone Transfers, well, not officailly a zone transfer, but receiving all the known records.

Because of the way DNS servers are treated, they often get over looked with 'securing'. However, as my a local DNS server has just found out, I was able to dump their whole DNS change, 75,260 IP records, to my computer.... PTR A MX all records the DNS server holds.

I assume that they allowed just a subnet and I was included. (It was safe to do so - legally that is). That was not the major security issue though, because of the situation of the DNS server, i also got the ip's of their private subnets, including the security centre, office's, projectors, helpdesk machines and more.

It was a simple nix command host with the -l option

CODE

host -l <domain> >> <filename>

And it dumps the output to the file, or stdout, or however you choose to process the information.

I wrote this to remind people that DNS servers also contain important information, and shouldnt be overlooked, as my buddy has found out...

packet

Jun 27 2005, 06:56 AM

A very good example of why you A: need to lock down the ability to do a DNS zone transfer and B: practice split-DNS seperate internal and external DNS systems. They can even reside on the same DNS server and just be accessable via differnet interfaces or IPs but thats not normally a very smart idea either (unless it is a Sidewinder).

Good info, this is one way I do security audits on companies, internal DNS records can hold some very juicy information.

--P>G>>

Warlord_David

Jun 28 2005, 12:14 AM

i'm guessing your talking about the host.exe program that comes with dig. Well I tested out the command line you gave, and i got the error below:

CODE

errno2result.c:61: unable to convert errno to isc_result: 10057: Socket is not connected.

Anyone have a solution?

myth

Jun 28 2005, 01:09 AM

a follow up is @ http://www.governmentsecurity.org/forum/in...showtopic=15264

Using dig instead, but all you need to do is send an AXFR Record Query Request for that domain name.

http://www.infosyssec.com/infosyssec/ipsectools.htm (scroll down to Dig It)<- you can do the same thing online, but the dns server will get a query from a completely unknown IP, to your own ISP they may have only allowed the IP's they control, however, because your one of them - you may get an insider advantage.

But yeah, continue any further discussion in the other thread, cheers

(oh, btw, the answer your question, sounds like an OS problem or the client may need to be told which network interface to use, all of my previous and next examples are using linux)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Dns Zone Transfers GovernmentSecurity.org > System Security > Networking Security / Firewall / IDS / VPN / Routers myth Jun 26 2005, 08:39 AM Just a quick little note on DNS Zone Transfers, well, not officailly a zone transfer, but receiving all the known records. Because of the way DNS servers are treated, they often get over looked with 'securing'. However, as my a local DNS server has just found out, I was able to dump their whole DNS change, 75,260 IP records, to my computer.... PTR A MX all records the DNS server holds. I assume that they allowed just a subnet and I was included. (It was safe to do so - legally that is). That was not the major security issue though, because of the situation of the DNS server, i also got the ip's of their private subnets, including the security centre, office's, projectors, helpdesk machines and more. It was a simple nix command host with the -l option CODE host -l <domain> >> <filename> And it dumps the output to the file, or stdout, or however you choose to process the information. I wrote this to remind people that DNS servers also contain important information, and shouldnt be overlooked, as my buddy has found out... packet Jun 27 2005, 06:56 AM A very good example of why you A: need to lock down the ability to do a DNS zone transfer and B: practice split-DNS seperate internal and external DNS systems. They can even reside on the same DNS server and just be accessable via differnet interfaces or IPs but thats not normally a very smart idea either (unless it is a Sidewinder). Good info, this is one way I do security audits on companies, internal DNS records can hold some very juicy information. --P>G>> Warlord_David Jun 28 2005, 12:14 AM i'm guessing your talking about the host.exe program that comes with dig. Well I tested out the command line you gave, and i got the error below: CODE errno2result.c:61: unable to convert errno to isc_result: 10057: Socket is not connected. Anyone have a solution? myth Jun 28 2005, 01:09 AM a follow up is @ http://www.governmentsecurity.org/forum/in...showtopic=15264 Using dig instead, but all you need to do is send an AXFR Record Query Request for that domain name. http://www.infosyssec.com/infosyssec/ipsectools.htm (scroll down to Dig It)<- you can do the same thing online, but the dns server will get a query from a completely unknown IP, to your own ISP they may have only allowed the IP's they control, however, because your one of them - you may get an insider advantage. But yeah, continue any further discussion in the other thread, cheers (oh, btw, the answer your question, sounds like an OS problem or the client may need to be told which network interface to use, all of my previous and next examples are using linux) This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.