14 DAY TRIAL // Information about the internal network structure and other potentially sensitive details can be obtained from a DNS (domain name system) server by an unauthenticated user by simply sending a DNS zone transfer request.
The purpose of a DNS server is to ensure that a user reaches the correct web resource by translating the hostname entered in the browser into the IP address corresponding to the machine serving the content.
Zone file redundancy
Any change in this system can lead to users being directed to malicious IPs when entering a correct web address, thus becoming exposed to nefarious activity.
As such, these machines are of significant importance in the Internet structure and require special security to prevent attackers from gaining access to the DNS records.
The Asynchronous Transfer Full Range (AXFR) protocol is designed for replication of DNS data (called a “zone”) across multiple DNS servers. Thus, if the primary server encounters an issue and cannot provide the necessary data, the connection is resolved based on information from the other servers.
Only trusted IPs should receive reply for AXFR queries
A security warning from US-CERT (United States Computer Emergency Readiness Team) draws attention to the fact that misconfigured, public-facing DNS servers may respond to any zone transfer requests (AXFR queries) with subdomain details that could be leveraged by a threat actor to plan a future attack.
Such a request to a master DNS server should be possible only from a secondary server as it discloses the zone file. If the origin of the request is not a trusted one, a third party could obtain the information.
Apart from taking control of the host and redirecting users to spoofed locations of the legitimate resources, the servers are also exposed to denial-of-service (DoS) attacks that could prevent users from reaching the intended destination.
Tens of thousands of machines affected
The issue with AXFR queries revealing too much is not unknown, but there are still plenty of DNS servers online that perform zone replication via AXFR and accept requests from unknown IP addresses.
US-CERT also highlights that malicious individuals have an easy way to discover vulnerable machines via open-source tools and scripts.
The recommended action is to configure the servers to reply to AXFR requests originating only from trusted IP addresses.
According to a research from Alexa, in late March there were more than 72,000 unique domains and over 48,000 unique nameservers impacted by the issue.