|
|
|
|
| |
| The Domain Name System described in RFC 1034/1035 includes full zone transfer (AXFR) specification. While this mechanism is useful to replicate zone information between servers, it can also be used to gather various information for mass mailing, distributed DoS attacks, and other malicious purposes. |
| |
Credit:
The information has been provided by Max.
|
| |
Problem:
Many of top level domain (TLD) DNS servers do not implement any restrictions on AXFR query.
Impact:
AXFR data can be used to find mail relays, proxy servers, hosts with specific operating systems or applications installed. AXFR data for some TLDs contains hundreds of thousands or records, and host names are often quite meaningful. A malicious person can select thousands of specific servers without spending a lot of time scanning networks. Also, multiple AXFR queries can be used to perform DoS attack on DNS server itself.
Solution:
An access list should be used to prevent unauthorized zone transfers. For bind version 8 and 9 this can be accomplished by setting allow-transfer option appropriately.
Appendix:
Fortunately, none of .com/org/edu/net/mil/gov servers allow AXFR. The following is a list of most recognizable TLDs that allow AXFR on at least one of their servers (as of October 18, 2002). The list is sorted alphabetically.
AR
AU
BG
CU
CZ
EE
EG
ES
FI
HU
IL
IN
IT
MY
NO
PK
SE
SG
RU
TR
UA
ZA
Recently registered TLDs:
.INT
.MUSEUM
.PRO
|
|
|
|
|
|
|
|
|
|
