DNS Series II: Security case of wildcard domain name resolution

The role of a wildcard (wildcard)

DNS wildcard domain name resolution can also be understood as a resolution record with wildcard characters. a dns record with wildcard characters is used to provide resolution request response methods for non-existent subdomains. For example, a domain example.com exists. If we set the wildcard record * .example.com, all subdomains that do not exist in the example.com domain, for example, abcd.example.com and efgh.example.com all point to example.com. During the Security penetration test of a website, the most important part in the information collection stage is to determine the correspondence between the subdomain and IP address, and introduce the wildcard function to abbreviated the target range.

Wildcard DNS record Bypass

 

If a domain has a resolution record with a wildcard character, you can bypass the wildcard character to expose the information of the subdomain. The bypassing method is to brute force crack the subdomain information. We can create a huge dictionary that contains many possible sub-domain names, and then record the corresponding sub-domain names, and then ping all these sub-domains, if these subdomains are resolved to obtain an ip address different from the domain (example.com) ip address, you can be sure that the subdomain exists. However, before launching a brute-force cracking attack, you 'd better first check whether there is a parsing record with a wildcard character. You can ping some random subdomains, for example, 123123.example.com and abcdef.example.com are used to determine whether the ip address of the example.com domain is the same as the host ip address of the random subdomain. If these random subdomains exist, we can clearly determine that the resolution records with wildcards exist in example.com.

DNS region transfer Vulnerability

A previous blog has explained how regional transfer works and analyzed a security case of a Regional transfer vulnerability. The preceding example shows how this vulnerability works.

This time, we found that the Regional Transmission vulnerability no longer exists, prompting the DNS to refuse to send the linux520.com domain to this host. It is clear that the domain transfer to untrusted hosts has been rejected.

DNS brute-force cracking

Due to the rare existence of the DNS region transfer vulnerability, most DNS servers are configured securely and cannot provide the regional transfer function to any client. Is this the end? Helpless? The answer is no. You can also use the most primitive method-brute force cracking. The procedure is to prepare a large data dictionary. First, check whether there is a resolution record with a wildcard character, and check whether the ip address resolved by the random subdomain (abc123.example.com) is consistent with the ip address parsed by example.com. If they are consistent, wildcard domain name resolution is set. Each record in the dictionary is used to query this domain. If there is a vip record in the dictionary, it is used to request vip.example.com. If the resolved IP address is different, it indicates that the subdomain exists, so that we can obtain the domain name and IP address of the subdomain. If no wildcard domain name resolution is set, you can use the same method to check whether the request response can be received from any subdomain. If the request is returned, we can be sure that the subdomain exists. In the end, we can obtain a large amount of information about this domain.

 

According to the above analysis ideas, use the perl script to implement the detection process:

Perl force. pl-dns linux520.com-wordlist hosts.txt

It can be seen that through brute-force cracking, the corresponding information of the domain name and its ip address is also obtained. Therefore, when using wildcard domain name resolution (wildcard), you must consider possible security issues.
Original article: http://laoxu.blog.51cto.com/4120547/1282773