Inner Mongolia Power dns domain transfer vulnerability and Solution

Inner Mongolia Power dns domain transfer vulnerability and Solution

Dns region transfer Vulnerability

Dns is the foundation of the entire internet company's business. At present, more and more Internet companies are building their own DNS servers for resolution services. At the same time, because DNS is a basic service, therefore, many companies will configure the Primary and Secondary DNS servers, and data synchronization between the primary and secondary DNS servers will use dns domain transfer. However, if the configuration is inappropriate, as a result, any anonymous user can obtain all records of a domain on the DNS server and expose the basic business and network architecture of the entire enterprise to external entities, resulting in serious information leakage, it may even cause enterprise network penetration.

> ls -d impc.com.cn [dns.impc.com.cn] impc.com.cn.                   SOA    dns.impc.com.cn postmaster.impc.com.cn. (20090225 300 60 1209600 43200) impc.com.cn.                   MX     10   mailgate.impc.com.cn impc.com.cn.                   MX     10   mx.impc.com.cn impc.com.cn.                   NS     dns.impc.com.cn                95598                          A      211.160.40.12 www.bmdy                       A      10.127.39.202 xmdy.impc.com.cn               MX     10   mailgate.impc.com.cn xt.impc.com.cn                 MX     10   mailgate.impc.com.cn www.dkyy                       A      10.126.36.16 dns                            A      211.160.40.15 www.ehv                        A      10.126.40.10 www.erdos                      A      10.127.50.158 www.hlbe                       A      10.127.145.5 impcppm                        A      116.113.110.163 imptc                          A      211.160.40.13 localhost                      A      127.0.0.1 mailgate                       A      116.113.110.165 mx                             A      116.113.110.165 news                           A      211.160.40.22 nmdl2                          A      211.160.40.20 nmsg                           A      211.160.40.17 oaserver                       A      211.160.40.23 oavpn                          A      211.160.40.25 sg                             A      211.160.40.17 vpn                            A      211.160.40.19 www.whdy                       A      10.127.65.218 wlxy                           A      123.178.25.75 wlxy                           A      116.113.45.29 www                            A      116.113.110.165 wzglb                          A      116.113.110.165 xady                           A      10.127.168.253 www.xjwgdj                     A      10.127.99.18 www.xmdy                       A      10.127.143.10 xt                             A      10.126.1.25 xtapp                          CNAME  xt.impc.com.cn yb                             A      211.160.40.4 yxwx                           A      211.160.40.1 zhaopin                        A      211.160.40.9 impc.com.cn.                   SOA    dns.impc.com.cn postmaster.impc.com.cn. (20090225 300 60 1209600 43200)

 

 

Solution:

Solution: Region transfer is a common DNS function, and the vulnerability of region transfer cannot be solved. You can strictly limit the hosts that allow region transfer, for example, a primary DNS server should only allow it to perform the regional transfer function from the DNS server.

For bind software, you can use the allowe-transfer command to control it. It can be used as a parameter of the global option or zone option. The address list is as follows:

allowe-transfer ｛192.168.1.1; 172.24.123.253;｝;

However, the address-Based Access Control List may be bypassed by some "determined" hackers. The best way is to use the TSIG key to strictly define the region transfer relationship, as shown below:

allowe-transfer ｛key "dns1-slave1"; key "dns1-slave2";｝;