Inner Mongolia Power dns domain transfer vulnerability and Solution

Source: Internet
Author: User
Tags domain transfer

Inner Mongolia Power dns domain transfer vulnerability and Solution

Dns region transfer Vulnerability

Dns is the foundation of the entire internet company's business. At present, more and more Internet companies are building their own DNS servers for resolution services. At the same time, because DNS is a basic service, therefore, many companies will configure the Primary and Secondary DNS servers, and data synchronization between the primary and secondary DNS servers will use dns domain transfer. However, if the configuration is inappropriate, as a result, any anonymous user can obtain all records of a domain on the DNS server and expose the basic business and network architecture of the entire enterprise to external entities, resulting in serious information leakage, it may even cause enterprise network penetration.

> ls -d impc.com.cn [dns.impc.com.cn] impc.com.cn.                   SOA    dns.impc.com.cn postmaster.impc.com.cn. (20090225 300 60 1209600 43200) impc.com.cn.                   MX     10   mailgate.impc.com.cn impc.com.cn.                   MX     10   mx.impc.com.cn impc.com.cn.                   NS     dns.impc.com.cn                95598                          A      211.160.40.12 www.bmdy                       A      10.127.39.202 xmdy.impc.com.cn               MX     10   mailgate.impc.com.cn xt.impc.com.cn                 MX     10   mailgate.impc.com.cn www.dkyy                       A      10.126.36.16 dns                            A      211.160.40.15 www.ehv                        A      10.126.40.10 www.erdos                      A      10.127.50.158 www.hlbe                       A      10.127.145.5 impcppm                        A      116.113.110.163 imptc                          A      211.160.40.13 localhost                      A      127.0.0.1 mailgate                       A      116.113.110.165 mx                             A      116.113.110.165 news                           A      211.160.40.22 nmdl2                          A      211.160.40.20 nmsg                           A      211.160.40.17 oaserver                       A      211.160.40.23 oavpn                          A      211.160.40.25 sg                             A      211.160.40.17 vpn                            A      211.160.40.19 www.whdy                       A      10.127.65.218 wlxy                           A      123.178.25.75 wlxy                           A      116.113.45.29 www                            A      116.113.110.165 wzglb                          A      116.113.110.165 xady                           A      10.127.168.253 www.xjwgdj                     A      10.127.99.18 www.xmdy                       A      10.127.143.10 xt                             A      10.126.1.25 xtapp                          CNAME  xt.impc.com.cn yb                             A      211.160.40.4 yxwx                           A      211.160.40.1 zhaopin                        A      211.160.40.9 impc.com.cn.                   SOA    dns.impc.com.cn postmaster.impc.com.cn. (20090225 300 60 1209600 43200)

 

 

Solution:

Solution: Region transfer is a common DNS function, and the vulnerability of region transfer cannot be solved. You can strictly limit the hosts that allow region transfer, for example, a primary DNS server should only allow it to perform the regional transfer function from the DNS server.

For bind software, you can use the allowe-transfer command to control it. It can be used as a parameter of the global option or zone option. The address list is as follows:

allowe-transfer {192.168.1.1; 172.24.123.253;};



However, the address-Based Access Control List may be bypassed by some "determined" hackers. The best way is to use the TSIG key to strictly define the region transfer relationship, as shown below:

allowe-transfer {key "dns1-slave1"; key "dns1-slave2";};

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.