[nsd-users] Unsecured zone transfers and open resolvers

Valentin Bud valentin at databus.ro
Wed Jul 18 20:16:16 UTC 2012


My question is not related to NSD in particular, but I have seen here on 
the list a lot of people that work for TLDs and other Registrars and 
Registry operators I thought it would be a good place to ask this 
question. It is about DNS though, not completely off topic :).

I have encountered in my DNS studies a few name servers that let you 
transfer zones they are authoritative for. The name servers I am talking 
about are not under my control. I have noticed that in the majority of 
cases ns2.*, or whatever name the second NS has, lets you perform the 
zone transfer. This led me to the conclusion that the sys admins don't 
pay enough attention or don't really know or understand DNS technology. 
It is not my intention to offend any sys admin. I am just saying. Or 
maybe the people that set up those servers are not sys admins. Who knows.

Do you consider the above as being a security vulnerability?

My thoughts on this. This isn't necessarily bad if the only information 
provided is related to systems that are connected to the Internet and 
have valid hostnames, although it makes it that much easier for 
attackers to find potential targets. Almost all the time people use 
suggestive names like splunk, nagios, cpanel, switch-c2950, etc. That 
would give an attacker a good start. But on the other hand it can find 
those by himself by querying the name server for those names.

In some cases, as I have seen, there are entries that have private 
addresses. I consider this as being quite bad because it reveals the 
private address space of the company's/institution's IT infrastructure.

What about open resolvers? I am not talking here about OpenDNS or 
Google, who monitor their infrastructure and maybe they even rate limit 
the queries per source IP address if too many come from one particular 
source. I am talking about servers that are not being monitored. I say 
this because if you monitor your servers and if you understand the DNS 
technology you can see that someone has AXFR-ed your zone or queried 
whatever.domain.com recursively using your name server and put an end to 

What are your thoughts on this matters?

Cheers and Goodwill,
Valentin Bud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120718/d8be7438/attachment.htm>

More information about the nsd-users mailing list