Vulnerability - Unrestricted DNS Server Zone Transfer
Last week I've got an email from Ronak Nahar if I have a bug bounty or reward policy for reporting a vulnerability. Fair enough he disclosed what it was → "Unrestricted DNS Server Zone Transfer". That means that all of the DNS zone information for for example kutej.net could be exported. We negotiated price for this disclosure and now it's fixed thanks to his report.
$ dig axfr kutej.net @ns1.meon.eu ; <<>> DiG 9.16.27-Debian <<>> axfr kutej.net @ns1.meon.eu ;; global options: +cmd ; Transfer failed.
DNS dumps is not that bad as all of that information is public anyway, but it's also no good as it gives away a map of the infrastructure, which may help cyber attackers in further penetration or discovery of weak spots. My two DNS servers are configured as slaves. On master I had "allow-transfer" restricted to these two slaves, on slaves there was this option not set at all, which means the default: anyone. Pretty poor default.
Below some logs from one of the two NS. Seems like zone transfers are happening all the time from different hosts. Ronak was the first one to report it back so that I could fix it. Why do all those other guys collect this information is an open question.
Jul 3 06:56:22 bee1 named[26714]: client @0x7f61d0edc680 103.107.98.79#30878 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 5 08:20:08 bee1 named[26714]: client @0x7f61d998f9f0 103.107.98.175#11289 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 8 06:42:59 bee1 named[26714]: client @0x7f61d8afc0c0 164.92.117.245#39088 (meon.at): transfer of 'meon.at/IN': AXFR started (serial 2019030806) Jul 8 06:45:11 bee1 named[26714]: client @0x7f61d8afc0c0 164.92.117.245#49778 (eusahub.com): transfer of 'eusahub.com/IN': AXFR started (serial 2019030819) Jul 8 08:40:46 bee1 named[26714]: client @0x7f61d8afc0c0 164.92.117.245#56958 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 8 09:24:32 bee1 named[26714]: client @0x7f61d0949be0 164.92.117.245#42360 (meon.at): transfer of 'meon.at/IN': AXFR started (serial 2019030806) Jul 8 09:27:27 bee1 named[26714]: client @0x7f61d8afc0c0 164.92.117.245#58514 (eusahub.com): transfer of 'eusahub.com/IN': AXFR started (serial 2019030819) Jul 9 11:39:50 bee1 named[26714]: client @0x7f61d9608330 103.107.98.90#60634 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 10 08:27:37 bee1 named[26714]: client @0x7f61d0e12980 103.107.98.90#17691 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 11 01:00:32 bee1 named[26714]: client @0x7f61d86f1650 103.107.98.90#15160 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 11 11:48:04 bee1 named[26714]: client @0x7f61d06f4eb0 164.92.115.60#45562 (riedellskates.eu): transfer of 'riedellskates.eu/IN': AXFR started (serial 2015031133) Jul 11 17:35:45 bee1 named[26714]: client @0x7f61d86ca480 164.92.115.60#34250 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 11 18:53:27 bee1 named[26714]: client @0x7f61d9608330 164.92.115.60#39898 (mr-cynical.com): transfer of 'mr-cynical.com/IN': AXFR started (serial 2019030806) Jul 12 05:28:01 bee1 named[26714]: client @0x7f61d06f4eb0 103.107.98.170#31198 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 12 05:38:48 bee1 named[26714]: client @0x7f61d06f4eb0 103.107.98.170#35166 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 12 18:08:38 bee1 named[26714]: client @0x7f61d0e11b10 164.92.66.237#55384 (meon.eu): transfer of 'meon.eu/IN': AXFR started (serial 2020060582) Jul 12 19:18:30 bee1 named[26714]: client @0x7f61d0f32950 164.92.66.237#41516 (mr-cynical.com): transfer of 'mr-cynical.com/IN': AXFR started (serial 2019030806) Jul 13 05:14:34 bee1 named[26714]: client @0x7f61d8a95840 164.92.66.237#43538 (riedellskates.eu): transfer of 'riedellskates.eu/IN': AXFR started (serial 2015031133) Jul 13 09:19:08 bee1 named[26714]: client @0x7f61d8ab5af0 164.92.66.237#41628 (weledu-group.com): transfer of 'weledu-group.com/IN': AXFR started (serial 2016031312) Jul 13 10:44:44 bee1 named[26714]: client @0x7f61d994af30 164.92.66.237#35706 (meon.at): transfer of 'meon.at/IN': AXFR started (serial 2019030806)