-----Original Message----- From: Marjorie <marjo...@id3.net> Date: Tuesday, April 14, 2015 at 2:47 PM To: Samson Oduor <samson.od...@accesskenya.com>, Jelte Jansen <jelte.jan...@sidn.nl> Cc: Paul Wouters <p...@nohats.ca>, "dns-operati...@dns-oarc.net" <dns-operati...@dns-oarc.net> Subject: Re: [dns-operations] Stunning security discovery: AXFR may leak information
>This is an interesting discussion actually. >It's all about a rather benign but widespread misconfiguration. > >Not long ago, I ran a survey against a small ccTLD and tested each >domain name for AXFR. >The ccTLD zone file itself having been obtained - you guessed it - by >way of zone transfer... > >Surprisingly, AXFR requests were honored by one server out of seven or >something. >So the prevalence of AXFR-enabled DNS servers is still quite high. I >would guess this is the result of using default configuration settings >from older Bind versions, but I didn't fingerprint the DNS software >versions. > >Still many seem to consider that zone transfer is a moot point anyway, >because the zone file can be reconstructed by scanning known IP ranges, >then resolving hostnames. >I disagree with this. There is no valid reason for exposing your >network topology to the outside world. You are only making the job >easier for potential attackers. Yes agreed. The finding is nothing new, and it's not a weakness in AXFR itself as others have rightly pointed out...so the timing and way in which it was reported were less than ideal...but your point is spot on. Many speak against "security by obscurity" but I think that is often taken too far -- in some ways blocking AXFR is no different than DMZs and firewalls...hey, why not have everything on public IP with all ports exposed? Security is an onion, and as many layers as you can put between you and the adversary are generally good assuming the "obscurity" is not adding unnecessary complexity or other hidden cost (proper config of a DNS server is quite easy and can be automated). _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
