Re: [dns-operations] Stunning security discovery: AXFR may leak information

In message <152316b1-9e18-463d-b148-71cea2038...@icann.org>, "John L. Crain" writes: > > It’s important to remember that not all zones are created equal. > > For example the root is publicly available and the data in there by it’s > nature is open accesible. > The question of allowing or not

Re: [dns-operations] Stunning security discovery: AXFR may leak information

> On 15 apr 2015, at 00:35, John L. Crain wrote: > > At the TLD level the question of how much of the data (and non existence of > data) becomes more complex and a decision has to be made about access to the > zone file. As long as there is a decision made based on understanding the > pros an

Re: [dns-operations] Stunning security discovery: AXFR may leak information

It’s important to remember that not all zones are created equal. For example the root is publicly available and the data in there by it’s nature is open accesible. The question of allowing or not allowing AXFR in such a case is more about resource usage. For L root we actually provide separate s

Re: [dns-operations] Stunning security discovery: AXFR may leak information

-Original Message- From: Mark Andrews Date: Tuesday, April 14, 2015 at 3:57 PM To: Edward Lewis Cc: "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] Stunning security discovery: AXFR may leakinformation >Basically all blocking axfr does is give you a false sense of >secur

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 4:31 PM, Michael Sinatra wrote: > On 4/14/15 12:00 PM, Mike Hoskins (michoski) wrote: > >>> I disagree with this. There is no valid reason for exposing your >>> network topology to the outside world. You are only making the job >>> easier for potential attackers. >> >> Yes

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On 14-04-2015 22:31, Michael Sinatra wrote: > > The problem I have with the way that this is posed by the US-CERT > advisory is that it neglects to point out that DNS is designed to be a > public database. The thing is, AXFR goes beyond the 'public' requirement. In DNS you submit a specific requ

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 3:15 PM, Edward Lewis wrote: > On 4/14/15, 14:47, "Marjorie" wrote: > >>The bottom line is that unrestricted AXFR is generally evil, > > I'd go with "generally unwise". There are folks that believe it is fine > to allow access to their zones and I have no reason to say th

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 2:47 PM, Marjorie wrote: > This is an interesting discussion actually. > It's all about a rather benign but widespread misconfiguration. It's only a misconfiguration if the operator didn't choose to do that intentionally... > > Not long ago, I ran a survey against a small

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On 4/14/15 12:00 PM, Mike Hoskins (michoski) wrote: >> I disagree with this. There is no valid reason for exposing your >> network topology to the outside world. You are only making the job >> easier for potential attackers. > > Yes agreed. The finding is nothing new, and it's not a weakness in

Re: [dns-operations] Stunning security discovery: AXFR may leak information

In message , Edward Lewis writes: > On 4/14/15, 14:47, "Marjorie" wrote: > > >The bottom line is that unrestricted AXFR is generally evil, > > I'd go with "generally unwise". There are folks that believe it is fine > to allow access to their zones and I have no reason to say they are > foolish

Re: [dns-operations] Stunning security discovery: AXFR may leak information

From: Paul Vixie > to me this harkens back to one of my earliest hacks to BIND4, which was > to add an access list for TCP. of course in 1988 or whenever this was, i > didn't realize that AXFR wasn't the only use of TCP, so i quickly had to > patch BIND4 differently (ACL on zone transfers). fun t

[dns-operations] nakedness vs. AXFR

one of the guys here (farsight security) heard me say that when florian weimer invented passive dns it was so that he could reconstruct zones (specifically the .DE zone) one record at a time by recording cache miss transactions. since passive DNS was our main business at that moment, a "zonedumper"

Re: [dns-operations] Stunning security discovery: AXFR may leak information

to me this harkens back to one of my earliest hacks to BIND4, which was to add an access list for TCP. of course in 1988 or whenever this was, i didn't realize that AXFR wasn't the only use of TCP, so i quickly had to patch BIND4 differently (ACL on zone transfers). fun times. the other thing i di

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On 4/14/15, 14:47, "Marjorie" wrote: >The bottom line is that unrestricted AXFR is generally evil, I'd go with "generally unwise". There are folks that believe it is fine to allow access to their zones and I have no reason to say they are foolish. Folks who are not concerned with the minutia o

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 08:47:04PM +0200, Marjorie wrote: > So the prevalence of AXFR-enabled DNS servers is still quite high. I > would guess this is the result of using default configuration settings > from older Bind versions What do you mean "older"? The 9.10 BIND ARM says this: > allow-tran

Re: [dns-operations] Stunning security discovery: AXFR may leak information

-Original Message- From: Marjorie Date: Tuesday, April 14, 2015 at 2:47 PM To: Samson Oduor , Jelte Jansen Cc: Paul Wouters , "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] Stunning security discovery: AXFR may leakinformation >This is an interesting discussion actu

Re: [dns-operations] Stunning security discovery: AXFR may leak information

This is an interesting discussion actually. It's all about a rather benign but widespread misconfiguration. Not long ago, I ran a survey against a small ccTLD and tested each domain name for AXFR. The ccTLD zone file itself having been obtained - you guessed it - by way of zone transfer... Surpri

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 10:26:01AM -0700, Mark Boolootian wrote: > > https://www.us-cert.gov/ncas/alerts/TA15-103A > > Seems they could have mentioned NSEC as well. And NSEC3, which does help anyhow in any real sense. Bert ___ dns-operations ma

Re: [dns-operations] Stunning security discovery: AXFR may leak information

> https://www.us-cert.gov/ncas/alerts/TA15-103A Seems they could have mentioned NSEC as well. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On 4/14/2015 6:38 PM, Jelte Jansen wrote: some DNS geeks even enable open AXFR on purpose, btw. Open AXFR is not necessarily a security hole or data leak. open AXFR = good for conducting reconnaissance ___ dns-operations mailing list dns-operation

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On 04/14/2015 04:48 PM, Mike Hoskins (michoski) wrote: > > Yeah, when I read the AXFR announce my first thought was "wow, CERT must > be bored!" Seemed like old news. That said, open resolvers and BCP38 > should also be old news...but a lot of people don't get it or don't care. > Perhaps it was

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 10:23:26AM +0200, Stephane Bortzmeyer wrote: > https://www.us-cert.gov/ncas/alerts/TA15-103A > http://haxpo.nl/haxpo2015ams/sessions/all-your-hostnames-are-belong-to-us/ this latest wave started on golem.de

Re: [dns-operations] Stunning security discovery: AXFR may leak information

+1 On 14/04/15 15:17, Jan wrote: I'm not sure this discovery should be dated 2015 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oar

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 03:59:10PM +0100, Simon Munton wrote a message of 19 lines which said: > What year is this? 1986? > > Its a shame, cos over-reporting renders an alerts system useless. Ignorance from the US CERT, plus teasing from fame-deprived security researchers. __

Re: [dns-operations] Stunning security discovery: AXFR may leak information

What year is this? 1986? Its a shame, cos over-reporting renders an alerts system useless. The boy who cried wolf. On 14/04/15 09:23, Stephane Bortzmeyer wrote: https://www.us-cert.gov/ncas/alerts/TA15-103A http://haxpo.nl/haxpo2015ams/sessions/all-your-hostnames-are-belong-to-us/ _

Re: [dns-operations] Stunning security discovery: AXFR may leak information

-Original Message- From: Paul Wouters Date: Tuesday, April 14, 2015 at 10:20 AM To: Mark Jeftovic Cc: "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] Stunning security discovery: AXFR may leak information >On Tue, 14 Apr 2015, Mark Jeftovic wrote: > >> Joke all you want. Thi

Re: [dns-operations] Stunning security discovery: AXFR may leak information

I think I should write for The Daily Currant. Paul Wouters wrote: > On Tue, 14 Apr 2015, Mark Jeftovic wrote: > >> Joke all you want. This is worse than heartbleed. > > Well, no. heartbleed could leak private (key) data. AXFR only leaks that > which you are already willing to give to any strang

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, 14 Apr 2015, Mark Jeftovic wrote: Joke all you want. This is worse than heartbleed. Well, no. heartbleed could leak private (key) data. AXFR only leaks that which you are already willing to give to any stranger who knows what question to ask or who asks 6 billion questions :P Paul ___

Re: [dns-operations] Stunning security discovery: AXFR may leak information

I'm not sure this discovery should be dated 2015   http://bugs.cacert.org/view.php?id=803   http://security.stackexchange.com/questions/10452/dns-zone-transfer-attack   http://www.iodigitalsec.com/dns-zone-transfer-axfr-vulnerability/   http://seclists.org/pen-test/2004/Feb/108 Stephane Bortzmeye

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On 4/14/15, 8:29, "Mark Jeftovic" wrote: >Joke all you want. This is worse than heartbleed. In short and if I understand this correctly, the problem isn't AXFR's existence or use, the problem is that systems are poorly configured. It's like blaming your aorta if a cut causes blood to spill. Th

[dns-operations] Re: Stunning security discovery: AXFR may leak information

How is this worse. This is not a DNS problem. Here the problem lies firmly between the ears of the operator. On 4/14/2015 8:29 AM, Mark Jeftovic wrote: Joke all you want. This is worse than heartbleed. Sent from my iPhone On Apr 14, 2015, at 7:28 AM, Edward Lewis wrote: Newsflash: Water c

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 08:29:47AM -0400, Mark Jeftovic wrote a message of 26 lines which said: > This is worse than heartbleed. I won't rely on commercial teasers like I'm waiting for the actual paper to decide if t

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 08:29:47AM -0400, Mark Jeftovic wrote: > Joke all you want. This is worse than heartbleed. Nobody can protect every DNS operator in the world from Dunning-Kruger effect and its consequences. Should we have people take an IQ test and put up a sign saying "You must be *THIS*

Re: [dns-operations] Stunning security discovery: AXFR may leak information

Joke all you want. This is worse than heartbleed. Sent from my iPhone > On Apr 14, 2015, at 7:28 AM, Edward Lewis wrote: > > Newsflash: Water can make you wet. > > Sorry. > >> On 4/14/15, 4:23, "Stephane Bortzmeyer" wrote: >> >> https://www.us-cert.gov/ncas/alerts/TA15-103A >> http://haxpo.

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 11:28:17AM +, Edward Lewis wrote a message of 126 lines which said: > Newsflash: Water can make you wet. You can also notice that the US CERT, to explain "how AXFR works", links to djb and not to RFC 5936... ___ dns-oper

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On 04/14/2015 01:28 PM, Edward Lewis wrote: Newsflash: Water can make you wet. Sorry. I think this was also Stéphane's point ;) -- Nicolas ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/d

Re: [dns-operations] Stunning security discovery: AXFR may leak information

Newsflash: Water can make you wet. Sorry. On 4/14/15, 4:23, "Stephane Bortzmeyer" wrote: >https://www.us-cert.gov/ncas/alerts/TA15-103A >http://haxpo.nl/haxpo2015ams/sessions/all-your-hostnames-are-belong-to-us/ smime.p7s Description: S/MIME cryptographic signature ___

[dns-operations] Stunning security discovery: AXFR may leak information

https://www.us-cert.gov/ncas/alerts/TA15-103A http://haxpo.nl/haxpo2015ams/sessions/all-your-hostnames-are-belong-to-us/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs