InfoSec Blog

While conducting most of our penetration tests, we often find a very common DNS vulnerability. In order for us to understand this vulnerability, we first need to know what a DNS server is. DNS servers are responsible for name resolution, converting Name Addresses to IP addresses. It is true that a company’s DNS server contains records of a variety of objects such as hosts, server and services. In order to synchronize and  update, DNS servers transfer their records to other requesting DNS servers. DNS servers should only transfer zone information between authorized servers.  This is where the problem resides; sometimes these servers are configured to allow “anonymous” transfers, meaning that anyone can request a zone transfer without proper authentication or authorization. By not restricting Anonymous Zone Transfers, companies sometimes jeopardize the overall security of their infrastructure.   

 

The following procedure shows you how to check if your server is vulnerable and allowing “anonymous” zone transfers.

 

Open the command line and type:

 

nslookup

set query=ns                  <- this command will seach for a domains name server.

acme.com                      <- Specify your domain.

set type=any                  <- Specify what type of record you want to get.

server ns1.acme.com      <- specify the name server.

ls acme.com                  <- this will request a record listing or transfer.

 

If the results appear to be something like this, then your DNS server is configured to allow anonymous zone transfers.

 

[ns1.acme.com]

acme.com.                     A      hhh.hhh.hhh.hhh

acme1.com.                   NS     server = ns1.acme.com

acme2.com.                   NS     server = ns2.acme.com

 

mail1                             A      uuu.uuu.uuu.uuu

mail2                             A      ddd.ddd.ddd.ddd

 

www                              A      uuu.uuu.uuu.uuu

web2                             A       iii.iii.iii.iii

 

 

Remediation: How to correct this problem on Windows 2003 Server.

 

1. Log on to your DNS server.

 

2. Go to the Administrative tools and Open the DNS management console.

 

 

3. Expand your local server and crawl down to your primary lookup zone.

 

4. Right click on the zone and select properties.

 

 

5. Go to the Zone Transfers tab.

 

 

6. Make sure the Allow Zone Transfer box is checked.

           

   

    7.   Select the option Only to servers listed on the Name Servers tab

    

         Before:

 

 

 After:

 

 

8.    Select OK.

 

 

Remediation: How to correct this problem on UNIX or Linux.

 

To secure your BIND server, you must open the /etc/named.conf (or /etc/named.boot) file in a text editor and find the line marked “allow-transfer { any; };” which indicates that any IP address is allowed to get zone information. In this example, I want to allow zone transfers to take place only between my Red Hat 8 server, my Windows NT server with IP address 192.168.1.4, and another server with IP address 172.16.1.5. Therefore, I will change the allow-transfer line to read like the following:

allow-transfer{192.168.1.4; 172.16.1.5; };