Misconfigured DNS servers could be leaking information about domains’ internal network structure, providing information useful for other directed attacks, according to US-CERT.
A remote unauthenticated user may request a DNS zone transfer from a public-facing DNS server. If improperly configured, the DNS server may respond with information about the requested zone, revealing internal network structure and potentially sensitive information.
US-CERT noted that AXFR is a protocol for “zone transfers” for replication of DNS data across multiple DNS servers. Unlike normal DNS queries that require the user to know some DNS information ahead of time, AXFR queries reveal subdomain names. Because a zone transfer is a single query, it could be used by an adversary to efficiently obtain DNS data.
“A well-known problem with DNS is that zone transfer requests can disclose domain information,” the organization warned. “However, the issue has regained attention due to recent Internet scans still showing a large number of misconfigured DNS servers. Open-source, tested scripts are now available to scan for the possible exposure, increasing the likelihood of exploitation.”
The problem is remarkably widespread. On average, every 20th website of the top Alexa sites runs a misconfigured webserver.
“We wanted to see how many misconfigured name servers can be found in Alexa’s top 1 million websites,” said Internetwache.org in a posting on the subject. “The results were a bit astonishing.”
In all, 132,854 AXFRs were made; 72,401 unique domains are affected, as are 48,448 unique name servers. Some domains had multiple misconfigured name servers; thus, there have been more transfers than domains affected, or the other way round, that one name server served more than one zonefile.
Users should configure their DNS servers to respond only to AXFR requests from known IP addresses.