exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

UKdnsTest.txt

UKdnsTest.txt
Posted Oct 16, 2003
Authored by STE Jones | Site NetworkPenetration.com

Network Penetration conducted a survey at the start of 2003 to check the status of the United Kingdom's DNS infrastructure. This paper discusses the second run of what was tested, the results, some sample zone transfers, and recommendations.

tags | paper, protocol
SHA-256 | 31dc371eb671d823d16aa2224c769ef3802e82eb0154f61065f3def5701be8f0

UKdnsTest.txt

Change Mirror Download
Network Penetration
NetworkPenetration.com

Copyright (c) 2003 Ste Jones
root@networkpenetration.com

UK's Internet Infrastructure Open to Prying Eyes

DNS Zone Transfers Allowed from First and Second Level Domains

Index

1. Introduction
2. What was tested
3. Example zone transfers
4. Results for UK domains
5. Recommendations

1. Introduction

Network Penetration conducted a survey at the start of 2003 to check the status of the UK's DNS infrastructure. The second scan of the year has just been completed with the results are much more positive. There are still some serious holes in major areas, but much improvement has been made in the last 8 months. The rest of the paper will discuss what was tested, the results, some sample zone transfers and finally some recommendations.

2. What was tested

During each scan only one test was performed against each domain:

A full zone transfer (axfr) against the first authoritive DNS server assigned to that domain.

A zone transfer consists of copying the contents of a zone file from a DNS server. This normally occurs when a secondary DNS server wishes to replicate the information for a zone from a primary DNS server for purposes of backup / redundancy. A zone file consists of all the information about that zone such as the IP address of a web server or mail server or possibly the hostname and IP of a firewall. Much of the information is open to request such as what email server is used for that domain, but other records such as the IP address and domain name of the firewall should not.

First and second level zones generally do not contain IP addresses of firewalls and such like, but they do contain huge lists of every subdomain. Take for example the zone file for the co.uk domain, it would contain every domain with a co.uk extension.

3. Example Zone Transfers

All the transfers were conducted using free online tools provided by demon.net

3.1 Example one - Secured Domain

A zone transfer from the .biz domain returns in a timeout and no information is returned

3.2 Example Two - Secured Domain

Where as when trying to zone transfer .mil a connection refused is returned.

Domain: mil.
Primary Nameserver: G.ROOT-SERVERS.NET
E-mail Contact: HOSTMASTER@NIC.mil

/www/cgi-bin/demon/external/bin/dig @G.ROOT-SERVERS.NET mil. axfr

; <<>> DiG 2.1 <<>> @G.ROOT-SERVERS.NET mil. axfr ; (1 server found)
;; Received 0 records.
;; FROM: nu7www.demon.net to SERVER: 192.112.36.4 ;; WHEN: Tue Aug 12 01:08:14 2003

3.3 Example Three - Unsecure Domain

An unsecured domain however such as fake.com would return the following

Domain: fake.com.
Primary Nameserver: ns1.fakehosting.com E-mail Contact: admin@fakehosting.com

/www/cgi-bin/demon/external/bin/dig @ns1.fakehosting.com fake.com. axfr

; <<>> DiG 2.1 <<>> @ns1.netincomehost.com fake.com. axfr ; (1 server found)
fake.com.3600SOAns1.fakehosting.com. admin.fakehosting.com. (

10; serial
3600; refresh (1 hour)
600; retry (10 mins)
1209600; expire (14 days)
3600 ); minimum (1 hour)

fake.com. 3600 A 1.2.3.4
fake.com. 3600 NS ns1.fakehosting.com
fake.com. 3600 NS ns2.fakehosting.com
fake.com. 3600 MX10 smtp.fake.com.

webmail.fake.com. 3600 CNAME webmail.freemail.com.
cisco.fake.com. 3600 A 1.2.3.1
fw1.fake.com. 3600 A 1.2.3.2
snort.fake.com. 3600 A 1.2.3.3
www.fake.com. 3600 A 1.2.3.4
ftp.fake.com. 3600 A 1.2.3.5
pdc.fake.com. 3600 A 1.2.3.6

fake.com. 3600 SOA ns1.fakehosting.com admin.fakehosting.com. (
10; serial
3600; refresh (1 hour)
600; retry (10 mins)
1209600; expire (14 days)
3600 ); minimum (1 hour)


;; Received 10 records.
;; FROM: nu7www.demon.net to SERVER: 64.42.224.9 ;; WHEN: Mon Aug 11 23:20:47 2003

The fuctisous zone file for fake.com shows a whole range of possible targets that a hacker could use to quickly map a network without having to send hardly any packets to the network.

The information regarding the top and second level domains are not being published due to the possibility of them being exploited at some point in the future.

4. Results for UK DNS Infrastructure

At the start of the year nearly all the second level domains in the UK allowed a zone transfer, but now its only really sections of the government lagging behind.

Domain Transfer Possible Number of Records Notes
Jan 03 August 03 Jan 03 August 03

uk Yes yes 220 248
ac.uk no no - -
bl.uk Yes no 1892 -
co.uk no no - -
gov.uk yes no 5 -
govt.uk no no - -
ltd.uk yes no 26723 - Over 1 Mb
me.uk yes no 57329 - Over 1 Mb
mod.uk yes yes 1484 1729
net.uk yes no 1298 -
nls.uk yes no 438 -
org.uk yes no 422265 - Over 20 Mb
plc.uk yes no 3646 -
police.uk yes yes 234 241
sch.uk yes no 71360 - Over 1 Mb


The only test performed against each server was a full zone transfer, some returned the full zone file while others such as gov.uk only returned a partial zone file.

In total 15 domains were tested, 3 passed test with transfers not possible at the start of the year compared to 12 in August. 20% at the start of the year, 80% in August can the UK score a 100% by the end of the year and lock down all there DNS servers? One would like to think so.

After sending an early copy of this report to various domain administrators, Network Penetration received a response from Jay Daley Director of IT at Nominet UK.

"It is our policy that .uk is not closed to zone transfers though all of the second level domains (SLDs) that we manage are. There are a large number of people who pull the .uk zone to allow their nameservers fast repudiation of non-existent SLDs (e.g. when someone types in xxx.com.uk by accident)."

The two remaining zones mod.uk and police.uk may be open for a specific reason unknown to Network Penetration at this time but upon initial inspection they appear to be unsecured DNS servers. One possible reason is that zone transfers are extremely useful for debugging problems with domain name servers.

The information provided in this report does not necessarily mean that each domain was unsecure / secured but merely gives a rough guide to the state of the UK's DNS infrastructure.

5. Recommendations

Zone files contain lots of crucial information that a hacker or terrorist could use to attack a nations infrastructure due to zone files containing information on a networks design and also highlighting key nodes within a networks infrastructure. Zone transfers should be blocked and not allowed from untrusted hosts e.g the general public. Disallowing zone transfers from hosts other than your backup DNS servers, still allow hostnames to be resolved.

DNS Zone Transfer Protocol Clarifications https://www.ietf.org/internet-drafts/draft-ietf-dnsext-axfr-clarify-05.txt

Why is securing DNS zone transfer necessary? https://www.sans.org/rr/paper.php?id=868


The original copy of this paper can be found at www.networkpenetration.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close