From: Mike Hoskins (mike@adept.org)
Date: Tue Feb 24 2004 - 21:26:37 EST
On Tue, 24 Feb 2004, cissper wrote:
> In one of my scans, nessus reported a vulnerability allowing DNS zone
> transfers (see below).
first, i'd like to point out that prominent members from the DNS
development community have stated that denying zone xfers is little more
than security through obscurity. i personally do not allow zone xfers
from non-trusted hosts (and old habit, i'm in the camp that believes
obscurity is OK as only a part of "security in depth", afterall the
military uses camoflauge), but keep in mind that this "vulnerability" can
be exploited in other ways. i.e. generating all possible text string
queries (there are a finite amount, perl on modern CPUs is quite fast) and
watching the return code would conceivably allow people to determine the
same information without actually doing a zone xfer. of course such
activity could be 'caught' in various ways. this is most likely why
nessus rates this as 'medium' risk.
that said, i'm not sure precisely what the plugin is doing... but there
are a couple things you could check. first, it may simply see TCP port 53
open on the name server in question. TCP port 53 is used for zone xfer,
as i'm sure you know, but also used for other things... so i would hope
this is not what the plugin is doing. to see if the plugin is actually
attempting a zone xfer (if it is not allowed via nslookup/dig as you
mention), check the logs on the name server in question. for example, if
i use dig against a server configured to deny zone xfers as follows:
dig @server somedomain.tld axfr
then i will see (in /var/log/messages, or where ever your name server is
logging, i'm assumming BIND here which is admittedly probably not a good
idea),
Feb 24 18:05:15 server named[328]: denied AXFR from [a.b.c.d].port
for "somedomain.tld" IN (acl)
or something similar... doing a `tail -f /var/log/messages` while running
nessus against the server may be of use. you'll want to ensure such
attempts are being logged anyway, so you know if/when people go poking
around your name servers. (most frequent query on my external servers of
late has been the infamous '.'.)
> I have tried to verify this vulnerability manually with nslookup and
> other tools. Apparently
> a manual DNS zone transfer did not work!
were nessus and nslookup ran from the same machine? perhaps an acl is
only allowing axfr/ixfr from specific hosts/subnets?
-m
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:48 EDT