[nsd-users] Unsecured zone transfers and open resolvers
valentin at databus.ro
Wed Jul 18 20:16:16 UTC 2012
My question is not related to NSD in particular, but I have seen here on
the list a lot of people that work for TLDs and other Registrars and
Registry operators I thought it would be a good place to ask this
question. It is about DNS though, not completely off topic :).
I have encountered in my DNS studies a few name servers that let you
transfer zones they are authoritative for. The name servers I am talking
about are not under my control. I have noticed that in the majority of
cases ns2.*, or whatever name the second NS has, lets you perform the
zone transfer. This led me to the conclusion that the sys admins don't
pay enough attention or don't really know or understand DNS technology.
It is not my intention to offend any sys admin. I am just saying. Or
maybe the people that set up those servers are not sys admins. Who knows.
Do you consider the above as being a security vulnerability?
My thoughts on this. This isn't necessarily bad if the only information
provided is related to systems that are connected to the Internet and
have valid hostnames, although it makes it that much easier for
attackers to find potential targets. Almost all the time people use
suggestive names like splunk, nagios, cpanel, switch-c2950, etc. That
would give an attacker a good start. But on the other hand it can find
those by himself by querying the name server for those names.
In some cases, as I have seen, there are entries that have private
addresses. I consider this as being quite bad because it reveals the
private address space of the company's/institution's IT infrastructure.
What about open resolvers? I am not talking here about OpenDNS or
Google, who monitor their infrastructure and maybe they even rate limit
the queries per source IP address if too many come from one particular
source. I am talking about servers that are not being monitored. I say
this because if you monitor your servers and if you understand the DNS
technology you can see that someone has AXFR-ed your zone or queried
whatever.domain.com recursively using your name server and put an end to
What are your thoughts on this matters?
Cheers and Goodwill,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nsd-users