What is an attack zone transfer to the DNS?

... Domains, ...tend to deliver a lot of information and sometimes more than what is due. At the time of services, domains, web sites, and others, many times it is beyond details as tend to be the settings on the DNS servers, so we will see what it is about the zone transfer to the DNS and how this can expose information and infrastructure.

... The DNS servers are basically computers that are responsible for resolving domain names to IP addresses. This allows users to access services in a friendly way, because remembering IP addresses would be more complex.

However, it is often used by attackers to gather information about the infrastructure and subdomains of the potential victim –although there are automated tools to do so, such as, for example Dnsnum. Of this last we see a screen capture below:




Can clearly be seen how with just tell a few parameters (in this case –enum to enumerate the information) already begins with the collection of information, not only of the DNS servers, but also doing Internet searches. While it does everything by itself with only tell you the domain, you must understand how it works behind.

To obtain this type of information you can use the command dig in the systems Linux and OS X; it is a tool of queries to DNS servers, as we will see below:




We see that when you perform the query, it will automatically be listed the DNS servers that are responsible to solve the queries. To perform this query using the following command:
    

Code: Bash

1. dig NS midominio.net

Once you run the command in a environment Linux, it will show the list of the corresponding servers responsible for responding to requests for that domain.

Why would an attacker want to perform the zone transfer, and collection of the records of the DNS servers?

It happens that through them you get to collect information from a corporate network, exposing sometimes their internal IP addresses, servers, and computers. To collect this information must be used the parameter “axfr” (to this type of attack is also called AXFR) where the command is as follows:
    

Code: Bash

1.  dig @ns1.midominio.net axfr midominio.net

The parameter “axfr” is the one who allows the transfer area of said DNS, since that is used to synchronize and update data of the area when changes occurred. Although the transfer can be done via the “axfr”, it is also possible to do it in an incremental way, called then “ixfr” -when running the application is obtained to the transfer of the area as a response. Without proper configuration, this allows an attacker to replicate the DNS database, obtaining sensitive information.

Once this is done, if the attack is successful, you can see how it is the exposure of a lot of information, as we will see in the following screenshot:




It can be seen in the example shown listed IP addresses, and services that are most likely for internal use as portals login, mail services, and even portals are available for the mobile versions.

How can I see this information from Windows?

In the same way that we can get this information with the command dig from Linux systems, we can also obtain it from systems Windows with Nslookup. Let's see in the following screenshot how to do it:



Although since Windows changed a little the commands and parameters, can be performed in the same way. In the first place it is necessary to open the console Windows (it is also possible to use a console here); to do this simply type “cmd” in the search bar in the Start menu and press the Enter key.

Once you open the console, as shown in our previous example, you can start the script:

1- The first run is nslookup followed by the Enter key; this starts the tool to perform queries to DNS servers

2- The second is: set type=ns (here specifies that the type of query, in this case, Name, Server); once you press Enter, the following line must be placed on the domain to query, for example com.ar

3- The third run is: set type=all followed by the Enter key (here it is specified that they undertake all possible consultations)

4- The fourth and last is: ls example.com.ar, which will list the information available


Then What do we do to prevent the leakage of this type of information?

It is very important to understand that all this information could be exploited by a cybercriminal to compromise a computer or the entire network. Knowing this ahead of time, we have the tools to perform the analysis proactive for prevention.

To avoid these headaches of leaking information, from the Research Laboratory of ESET Latin america we recommend you review the configuration files in DNS servers. 

It should be noted that depending on the software you are using for this service, you will be where is located your configuration file to allow or deny, or equipment authorized to make the transfer.

For example, to solve this problem in bind9, you must access the file named.conf.local (located by default in /etc/bind) and edit it, with the purpose of supporting the zone transfer only to IP addresses of secondary DNS servers of trusted. To do this you must change the file as follows:




It is important to always keep in mind that this file can vary its location and setup depending on what software you use. We recommend to understand how it works which you are using, and perform the corresponding settings.

As we could see, something that may seem so simple represents a serious security risk. We saw how using tools of the operating system, in conjunction with bad configurations on the other hand, is achieved by collecting a large amount of sensitive information.

Through the information obtained, the attacker can understand the topology of the network and in this way try to vulnerarla. Therefore, it is necessary to work proactively to detect this type of situations and correct them, before it can be exploited by an attacker. By applying the necessary corrections to these problems proactively, we can use the technology safely and without too many concerns.

Source:welivesecurity.com