Detection and Analysis of DNS region transfer vulnerabilities of a security website

 

DNS region Transfer(DNS zone transfer)A backup server is used to refresh the data of its own server in its own zone database. This provides a certain degree of redundancy for the running DNS service, and aims to prevent the Primary Domain Name Server from affecting the resolution of the entire domain name when it becomes unavailable due to unexpected faults. Generally, the DNS region transfer operation is only necessary when there is a backup domain name DNS server in the network, but many DNS servers are mistakenly configured as long as a client sends a request, the other party will be provided with detailed information about a zone database. Therefore, allowing untrusted Internet users to perform the DNS zone transfer operation is one of the most serious consequences.

 

Hazards of regional transfer vulnerabilities: hackers can quickly identify all hosts in a specific zone, collect domain information, select attack targets, and find unused IP addresses, hackers can bypass network-based access control.

 

Check the regional transfer vulnerability of the target site in linux

Dig axfr @ ns1.myhostadmin.net linux520.com @ soa dns domain name to be viewed

Detect the regional transfer vulnerability of the target site in windows

 

Both linux and windows systems can detect the region transfer vulnerability in the DNS used by the website. By executing commands, we can clearly see the domain name resolution information in the entire domain, this exposes the entire domain (A record and MX record ).

 

Solution: Region transfer is a common DNS function, and the vulnerability of region transfer cannot be solved. You can strictly limit the hosts that allow region transfer, for example, a primary DNS server should only allow it to perform the regional transfer function from the DNS server.

For bind software, you can use the allowe-transfer command to control it. It can be used as a parameter of the global option or zone option. We can

Use the address list as follows: allowe-transfer {192.168.1.1; 172.24.123.253 ;}; however, the address-Based Access Control List may be bypassed by some "determined" hackers. The best way is to use the TSIG key to strictly define the relationship of region transfer, as shown below allowe-transfer {key "dns1-slave1"; key "dns1-slave2 ";};

Note: This article demonstrates the principle of regional transfer and the dangers of regional transfer vulnerabilities by detecting the vulnerability in the target region, without further malicious attacks. When the blog post is completed, the website owner has been notified to fix the vulnerability. Do not detect the site vulnerability again. Otherwise, you will be at your own risk.