Zone transfer; birden fazla domain name server varsa diger name serverların zone içeriklerini güncel tutabilmesi için Primary DNS serverdan zonu çekip kullanmalarını sağlayan bir özelliktir.Fakat genellikle burada düşülen konfigrasyon hatası; zone transfer yapacak diğer DNS serverlara ait IP adreslerinin source IP olarak verilmesi yerine, zone transfer özelliğinin tüm herkese(ANY) açılmasıdır. Zone transfer ANY'e açık olan bir DNS server üzerinde var olan bir zone çekilerek, bir web sitesine ait tüm subdomain'ler elde edilebilir ve buralardan saldırı girişimleri gerçekleştirilebilir. Örnek olarak dünyada top listelerde baş sıralarda gelen üniversitelerden biri olan X üniversitesine (http://www.example.com) ait zone transfer açıklığını verdim:)
Öncelikle bir domain adresinin NS server'larını bulmak için ilgili dig komutu aşağıdaki gibidir:
root@bt:~# dig NS example.com
;; ANSWER SECTION:
example.com. 24301 IN NS dns0.inf.example.com.
example.com. 24301 IN NS cancer.ucs.example.com.
example.com. 24301 IN NS dns2.inf.example.com.
example.com. 24301 IN NS dns1.inf.example.com.
example.com. 24301 IN NS lewis.ucs.example.com.
example.com. 24301 IN NS xlab-0.example.com.
Buradaki NS server'ları tek tek denemek gerekebilir.Zone hangisi üzerindeyse ve transferi ANY'e açıksa onu bulmalıyız.Tek tek denemek istemiyorsak buradaki NS serverların listesini dnsenum perl scriptine dosya olarak verip aynı anda hepsinde zone transfer kontrolü yapmasını da sağlayabiliriz.
Linux sistem üzerinde dig ile zone transfer yapmak için kullanılacak komut aşağıdaki gibidir:
root@bt:~# dig @xlab-0.example.com example.com axfr | more
; <<>> DiG 9.7.0-P1 <<>> @xlab-0.example.com example.com axfr
; (1 server found)
;; global options: +cmd
example.com. 86400 IN SOA dns0.example.com. hostmaster.ed.ac.
uk. 2012022200 1800 900 864000 86400
example.com. 86400 IN MX 5 renko.ucs.example.com.
example.com. 86400 IN MX 5 pascoe.ucs.example.com.
example.com. 86400 IN MX 5 dalziel.ucs.example.com.
example.com. 86400 IN NS dns0.inf.example.com.
example.com. 86400 IN NS dns1.inf.example.com.
example.com. 86400 IN NS dns2.inf.example.com.
example.com. 86400 IN NS lewis.ucs.example.com.
example.com. 86400 IN NS cancer.ucs.example.com.
example.com. 86400 IN NS xlab-0.example.com.
6-daysample.example.com. 86400 IN CNAME psy-b6-2.psy.example.com.
www.6-daysample.example.com. 86400 IN CNAME psy-b6-2.psy.example.com.
_msdcs.example.com. 900 IN NS oban.ucs.example.com.
_msdcs.example.com. 900 IN NS kelso.ucs.example.com.
_msdcs.example.com. 900 IN NS leven.ucs.example.com.
_msdcs.example.com. 900 IN NS crieff.ucs.example.com.
_msdcs.example.com. 900 IN NS aviemore.ucs.example.com.
_msdcs.example.com. 900 IN NS cromarty.ucs.example.com.
mouse-db.bioservices.aaps.example.com. 86400 IN A 129.215.10.26
www.bioservices.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.intra.aaps.example.com. 86400 IN CNAME spike.mis.example.com.
www.pgrt.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.scwg.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
abm.example.com. 86400 IN NS dns0.inf.example.com.
abm.example.com. 86400 IN NS dns1.inf.example.com.
abm.example.com. 86400 IN NS dns2.inf.example.com.
abm.example.com. 86400 IN NS lewis.ucs.example.com.
abm.example.com. 86400 IN NS cancer.ucs.example.com.
abm.example.com. 86400 IN NS xlab-0.example.com.
www.acadreg.example.com. 86400 IN CNAME spike.mis.example.com.
www.pgaf.acaffairs.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.test.acaffairs.example.com. 86400 IN CNAME mis-adam.mis.example.com.
www.acaffairs.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.appform.accom.example.com. 900 IN CNAME accmcls.ucs.example.com.
www.book.accom.example.com. 86400 IN CNAME accmh2.ucs.example.com.
www-test.book.accom.example.com. 86400 IN CNAME mis-xander.mis.example.com.
www.booking.accom.example.com. 900 IN CNAME accmcls.ucs.example.com.
Bu devam edip gidiyor.Görüldüğü gibi primary NS serverdan ilgili zone transfer edildi.Buradaki subdomainler çeşitli saldırılarda kullanılabilir.Malesef ülkemizde de bir çok kamu ve özel kurumda bu açıklık hala vardır.
Aynı işlemi windowsta nslookup kullanarak yapalım:
C:\Users\ERD>nslookup
Varsayılan Sunucu: google-public-dns-a.google.com
Address: 8.8.8.8
> set type=ns
> example.com
Sunucu: google-public-dns-a.google.com
Address: 8.8.8.8
DNS request timed out.
timeout was 2 seconds.
Güvenilir olmayan yanıt:
example.com nameserver = dns1.inf.example.com
example.com nameserver = dns2.inf.example.com
example.com nameserver = cancer.ucs.example.com
example.com nameserver = lewis.ucs.example.com
example.com nameserver = xlab-0.example.com
example.com nameserver = dns0.inf.example.com
> server xlab-0.example.com
DNS request timed out.
timeout was 2 seconds.
Varsayılan Sunucu: xlab-0.example.com
Address: 129.215.168.33
> ls -d example.com
[xlab-0.example.com]
example.com. SOA dns0.example.com hostmaster.example.com. (2012022600 1800 900 864000 86400)
example.com. MX 5 renko.ucs.example.com
example.com. MX 5 pascoe.ucs.example.com
example.com. MX 5 dalziel.ucs.example.com
example.com. NS dns0.inf.example.com
example.com. NS dns1.inf.example.com
example.com. NS dns2.inf.example.com
example.com. NS lewis.ucs.example.com
example.com. NS cancer.ucs.example.com
example.com. NS xlab-0.example.com
6-daysample CNAME psy-b6-2.psy.example.com
www.6-daysample CNAME psy-b6-2.psy.example.com
_msdcs NS oban.ucs.example.com
_msdcs NS kelso.ucs.example.com
_msdcs NS leven.ucs.example.com
_msdcs NS crieff.ucs.example.com
_msdcs NS aviemore.ucs.example.com
_msdcs NS cromarty.ucs.example.com
_msdcs NS roslin-dc.ucs.example.com
_msdcs NS roslin-dc2.ucs.example.com
_sites NS oban.ucs.example.com
_sites NS kelso.ucs.example.com
_sites NS leven.ucs.example.com
_sites NS crieff.ucs.example.com
_sites NS aviemore.ucs.example.com
_sites NS cromarty.ucs.example.com
_sites NS roslin-dc.ucs.example.com
_sites NS roslin-dc2.ucs.example.com
_tcp NS oban.ucs.example.com
_tcp NS kelso.ucs.example.com
_tcp NS leven.ucs.example.com
_tcp NS crieff.ucs.example.com
_tcp NS aviemore.ucs.example.com
_tcp NS cromarty.ucs.example.com
_tcp NS roslin-dc.ucs.example.com
_tcp NS roslin-dc2.ucs.example.com
_udp NS oban.ucs.example.com
_udp NS kelso.ucs.example.com
_udp NS leven.ucs.example.com
_udp NS crieff.ucs.example.com
_udp NS aviemore.ucs.example.com
_udp NS cromarty.ucs.example.com
_udp NS roslin-dc.ucs.example.com
_udp NS roslin-dc2.ucs.example.com
mouse-db.bioservices.aaps A 129.215.10.26
www.bioservices.aaps CNAME kb-iis-1.ucs.example.com
www.intra.aaps CNAME spike.mis.example.com
www.pgrt.aaps CNAME kb-iis-1.ucs.example.com
www.scwg.aaps CNAME kb-iis-1.ucs.example.com
www.aaps CNAME kb-iis-1.ucs.example.com
abm NS dns0.inf.example.com
abm NS dns1.inf.example.com
abm NS dns2.inf.example.com
abm NS lewis.ucs.example.com
abm NS cancer.ucs.example.com
abm NS xlab-0.example.com
www.acadreg CNAME spike.mis.example.com
www.pgaf.acaffairs CNAME kb-iis-1.ucs.example.com
www.test.acaffairs CNAME mis-adam.mis.example.com
www.acaffairs CNAME kb-iis-1.ucs.example.com
www.appform.accom CNAME accmcls.ucs.example.com
www.book.accom CNAME accmh2.ucs.example.com
www-test.book.accom CNAME mis-xander.mis.example.com
www.booking.accom CNAME accmcls.ucs.example.com
www-test.booking.accom CNAME mis-xander.mis.example.com
wwwtest2.booking.accom CNAME mis-xander.mis.example.com
www.catering.accom CNAME accmcls.ucs.example.com
www.contracts.accom CNAME accm-vwww1.ucs.example.com
www.dev.accom CNAME spike.mis.example.com
www.dev-oapp.accom CNAME ted.mis.example.com
www.examplefirst.accom CNAME accmcls.ucs.example.com
www-test.examplefirst.accom CNAME mis-xander.mis.example.com
www.flats.accom CNAME accmcls.ucs.example.com
www-test.flats.accom CNAME mis-xander.mis.example.com
www.intra.accom CNAME marzipan.ucs.example.com
www.ipams.accom CNAME earn.mis.example.com
www-train.ipams.accom CNAME duich.mis.example.com
www.kxweb.accom CNAME accm-vwww2.ucs.example.com
www.livetest-catering.accom CNAME mis-xander-vwww7.mis.example.com
www.menus.accom CNAME accmcls.ucs.example.com
www-test.menus.accom CNAME mis-xander.mis.example.com
www.salisburygreen.accom CNAME accmcls.ucs.example.com
www-test.salisburygreen.accom CNAME mis-xander.mis.example.com
www.simply.accom CNAME accmcls.ucs.example.com
www.studenthomes.accom CNAME accmcls.ucs.example.com
www-test.studenthomes.accom CNAME mis-xander.mis.example.com
www.test-catering.accom CNAME mis-xander-vwww5.mis.example.com
www.test-contracts.accom CNAME mis-xander-vwww2.mis.example.com
www.test-kxweb.accom CNAME mis-xander-vwww3.mis.example.com
www.test2-kxweb.accom CNAME mis-xander.mis.example.com
www.testappform.accom CNAME mis-xander.mis.example.com
www.accom CNAME kb-iis-1.ucs.example.com
www.accord CNAME webhost1.is.example.com
ace NS dns0.inf.example.com
ace NS dns1.inf.example.com
ace NS dns2.inf.example.com
ace NS lewis.ucs.example.com
ace NS cancer.ucs.example.com
ace NS xlab-0.example.com
acf NS lewis.ucs.example.com
acf NS cancer.ucs.example.com
www.acss CNAME spike.mis.example.com
activedir NS thanatos.activedir.example.com
thanatos.activedir A 129.215.149.215
demas.activedirdev A 129.215.149.182
www.intra.admin CNAME spike.mis.example.com
adtest NS dns0.inf.example.com
adtest NS dns1.inf.example.com
adtest NS dns2.inf.example.com
adtest NS lewis.ucs.example.com
adtest NS cancer.ucs.example.com
adtest NS xlab-0.example.com
aers MX 10 firstclass2.comcation.example.com
www.aers CNAME morse.ucs.example.com
ai MX 5 virtualrelay.inf.example.com
ai MX 7 renko.ucs.example.com
ai MX 7 pascoe.ucs.example.com
ai MX 7 dalziel.ucs.example.com
aiai NS dns0.inf.example.com
aiai NS dns1.inf.example.com
aiai NS dns2.inf.example.com
aiai NS lewis.ucs.example.com
aiai NS cancer.ucs.example.com
aiai NS xlab-0.example.com
aifh MX 5 virtualrelay.inf.example.com
aifh MX 7 renko.ucs.example.com
aifh MX 7 pascoe.ucs.example.com
aifh MX 7 dalziel.ucs.example.com
aipna MX 5 virtualrelay.inf.example.com
aipna MX 7 renko.ucs.example.com
aipna MX 7 pascoe.ucs.example.com
aipna MX 7 dalziel.ucs.example.com
aisb MX 5 virtualrelay.inf.example.com
aisb MX 7 renko.ucs.example.com
aisb MX 7 pascoe.ucs.example.com
aisb MX 7 dalziel.ucs.example.com
aiva MX 5 virtualrelay.inf.example.com
aiva MX 7 renko.ucs.example.com
aiva MX 7 pascoe.ucs.example.com
aiva MX 7 dalziel.ucs.example.com
www.alwaleed CNAME webhost1.is.example.com
www.alzscotdrc CNAME vox.ppls.example.com
ana NS dns0.inf.example.com
ana NS dns1.inf.example.com
ana NS dns2.inf.example.com
ana NS lewis.ucs.example.com
ana NS cancer.ucs.example.com
ana NS xlab-0.example.com
www.anaesthesiapractice CNAME srv1ltsmvm.mvm.example.com
Bu şekilde devam edip gidiyor.Zone transfer işlemi için host komutu,dnsenum.pl ve fierce.pl gibi perl scriptleri de kullanılabilir.
Bu açıklıktan korunmamız için yapmamız gereken çok basit.Örnek olarak BIND DNS server verdim.
Sadece localhost ve secondary DNS server zone transfer yapmasını ve diğer uzak sistemlerin isteklerinin deny edilmesini istiyorsak.
/etc/named.conf içerisinde allow-transfer için source IP adresleri giriyoruz.Hepsi bu kadar.
options {
directory "/usr/local/named"; // directory for zone files
allow-transfer {
127.0.0.1; // localhost
35.6.42.6; // secondary DNS server
};
};
Bundan sonra yalnızca burada belirtilen IP adresleri zone transfer gerçekleştirebilecektir diğer tüm IP adreslerin zone transfer istekleri deny edilecektir.Zone transfer TCP 53 portu üzerinden gerçekleştirilmektedir.Bu elbette TCP 53 portu açık her DNS serverdan zone transfer yapacağız anlamına gelmemektedir.Yukarıdaki örnekteki gibi izinler yalnızca belli IP adreslerine verilmiş olabilir.
Öncelikle bir domain adresinin NS server'larını bulmak için ilgili dig komutu aşağıdaki gibidir:
root@bt:~# dig NS example.com
;; ANSWER SECTION:
example.com. 24301 IN NS dns0.inf.example.com.
example.com. 24301 IN NS cancer.ucs.example.com.
example.com. 24301 IN NS dns2.inf.example.com.
example.com. 24301 IN NS dns1.inf.example.com.
example.com. 24301 IN NS lewis.ucs.example.com.
example.com. 24301 IN NS xlab-0.example.com.
Buradaki NS server'ları tek tek denemek gerekebilir.Zone hangisi üzerindeyse ve transferi ANY'e açıksa onu bulmalıyız.Tek tek denemek istemiyorsak buradaki NS serverların listesini dnsenum perl scriptine dosya olarak verip aynı anda hepsinde zone transfer kontrolü yapmasını da sağlayabiliriz.
Linux sistem üzerinde dig ile zone transfer yapmak için kullanılacak komut aşağıdaki gibidir:
root@bt:~# dig @xlab-0.example.com example.com axfr | more
; <<>> DiG 9.7.0-P1 <<>> @xlab-0.example.com example.com axfr
; (1 server found)
;; global options: +cmd
example.com. 86400 IN SOA dns0.example.com. hostmaster.ed.ac.
uk. 2012022200 1800 900 864000 86400
example.com. 86400 IN MX 5 renko.ucs.example.com.
example.com. 86400 IN MX 5 pascoe.ucs.example.com.
example.com. 86400 IN MX 5 dalziel.ucs.example.com.
example.com. 86400 IN NS dns0.inf.example.com.
example.com. 86400 IN NS dns1.inf.example.com.
example.com. 86400 IN NS dns2.inf.example.com.
example.com. 86400 IN NS lewis.ucs.example.com.
example.com. 86400 IN NS cancer.ucs.example.com.
example.com. 86400 IN NS xlab-0.example.com.
6-daysample.example.com. 86400 IN CNAME psy-b6-2.psy.example.com.
www.6-daysample.example.com. 86400 IN CNAME psy-b6-2.psy.example.com.
_msdcs.example.com. 900 IN NS oban.ucs.example.com.
_msdcs.example.com. 900 IN NS kelso.ucs.example.com.
_msdcs.example.com. 900 IN NS leven.ucs.example.com.
_msdcs.example.com. 900 IN NS crieff.ucs.example.com.
_msdcs.example.com. 900 IN NS aviemore.ucs.example.com.
_msdcs.example.com. 900 IN NS cromarty.ucs.example.com.
mouse-db.bioservices.aaps.example.com. 86400 IN A 129.215.10.26
www.bioservices.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.intra.aaps.example.com. 86400 IN CNAME spike.mis.example.com.
www.pgrt.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.scwg.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.aaps.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
abm.example.com. 86400 IN NS dns0.inf.example.com.
abm.example.com. 86400 IN NS dns1.inf.example.com.
abm.example.com. 86400 IN NS dns2.inf.example.com.
abm.example.com. 86400 IN NS lewis.ucs.example.com.
abm.example.com. 86400 IN NS cancer.ucs.example.com.
abm.example.com. 86400 IN NS xlab-0.example.com.
www.acadreg.example.com. 86400 IN CNAME spike.mis.example.com.
www.pgaf.acaffairs.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.test.acaffairs.example.com. 86400 IN CNAME mis-adam.mis.example.com.
www.acaffairs.example.com. 86400 IN CNAME kb-iis-1.ucs.example.com.
www.appform.accom.example.com. 900 IN CNAME accmcls.ucs.example.com.
www.book.accom.example.com. 86400 IN CNAME accmh2.ucs.example.com.
www-test.book.accom.example.com. 86400 IN CNAME mis-xander.mis.example.com.
www.booking.accom.example.com. 900 IN CNAME accmcls.ucs.example.com.
Bu devam edip gidiyor.Görüldüğü gibi primary NS serverdan ilgili zone transfer edildi.Buradaki subdomainler çeşitli saldırılarda kullanılabilir.Malesef ülkemizde de bir çok kamu ve özel kurumda bu açıklık hala vardır.
Aynı işlemi windowsta nslookup kullanarak yapalım:
C:\Users\ERD>nslookup
Varsayılan Sunucu: google-public-dns-a.google.com
Address: 8.8.8.8
> set type=ns
> example.com
Sunucu: google-public-dns-a.google.com
Address: 8.8.8.8
DNS request timed out.
timeout was 2 seconds.
Güvenilir olmayan yanıt:
example.com nameserver = dns1.inf.example.com
example.com nameserver = dns2.inf.example.com
example.com nameserver = cancer.ucs.example.com
example.com nameserver = lewis.ucs.example.com
example.com nameserver = xlab-0.example.com
example.com nameserver = dns0.inf.example.com
> server xlab-0.example.com
DNS request timed out.
timeout was 2 seconds.
Varsayılan Sunucu: xlab-0.example.com
Address: 129.215.168.33
> ls -d example.com
[xlab-0.example.com]
example.com. SOA dns0.example.com hostmaster.example.com. (2012022600 1800 900 864000 86400)
example.com. MX 5 renko.ucs.example.com
example.com. MX 5 pascoe.ucs.example.com
example.com. MX 5 dalziel.ucs.example.com
example.com. NS dns0.inf.example.com
example.com. NS dns1.inf.example.com
example.com. NS dns2.inf.example.com
example.com. NS lewis.ucs.example.com
example.com. NS cancer.ucs.example.com
example.com. NS xlab-0.example.com
6-daysample CNAME psy-b6-2.psy.example.com
www.6-daysample CNAME psy-b6-2.psy.example.com
_msdcs NS oban.ucs.example.com
_msdcs NS kelso.ucs.example.com
_msdcs NS leven.ucs.example.com
_msdcs NS crieff.ucs.example.com
_msdcs NS aviemore.ucs.example.com
_msdcs NS cromarty.ucs.example.com
_msdcs NS roslin-dc.ucs.example.com
_msdcs NS roslin-dc2.ucs.example.com
_sites NS oban.ucs.example.com
_sites NS kelso.ucs.example.com
_sites NS leven.ucs.example.com
_sites NS crieff.ucs.example.com
_sites NS aviemore.ucs.example.com
_sites NS cromarty.ucs.example.com
_sites NS roslin-dc.ucs.example.com
_sites NS roslin-dc2.ucs.example.com
_tcp NS oban.ucs.example.com
_tcp NS kelso.ucs.example.com
_tcp NS leven.ucs.example.com
_tcp NS crieff.ucs.example.com
_tcp NS aviemore.ucs.example.com
_tcp NS cromarty.ucs.example.com
_tcp NS roslin-dc.ucs.example.com
_tcp NS roslin-dc2.ucs.example.com
_udp NS oban.ucs.example.com
_udp NS kelso.ucs.example.com
_udp NS leven.ucs.example.com
_udp NS crieff.ucs.example.com
_udp NS aviemore.ucs.example.com
_udp NS cromarty.ucs.example.com
_udp NS roslin-dc.ucs.example.com
_udp NS roslin-dc2.ucs.example.com
mouse-db.bioservices.aaps A 129.215.10.26
www.bioservices.aaps CNAME kb-iis-1.ucs.example.com
www.intra.aaps CNAME spike.mis.example.com
www.pgrt.aaps CNAME kb-iis-1.ucs.example.com
www.scwg.aaps CNAME kb-iis-1.ucs.example.com
www.aaps CNAME kb-iis-1.ucs.example.com
abm NS dns0.inf.example.com
abm NS dns1.inf.example.com
abm NS dns2.inf.example.com
abm NS lewis.ucs.example.com
abm NS cancer.ucs.example.com
abm NS xlab-0.example.com
www.acadreg CNAME spike.mis.example.com
www.pgaf.acaffairs CNAME kb-iis-1.ucs.example.com
www.test.acaffairs CNAME mis-adam.mis.example.com
www.acaffairs CNAME kb-iis-1.ucs.example.com
www.appform.accom CNAME accmcls.ucs.example.com
www.book.accom CNAME accmh2.ucs.example.com
www-test.book.accom CNAME mis-xander.mis.example.com
www.booking.accom CNAME accmcls.ucs.example.com
www-test.booking.accom CNAME mis-xander.mis.example.com
wwwtest2.booking.accom CNAME mis-xander.mis.example.com
www.catering.accom CNAME accmcls.ucs.example.com
www.contracts.accom CNAME accm-vwww1.ucs.example.com
www.dev.accom CNAME spike.mis.example.com
www.dev-oapp.accom CNAME ted.mis.example.com
www.examplefirst.accom CNAME accmcls.ucs.example.com
www-test.examplefirst.accom CNAME mis-xander.mis.example.com
www.flats.accom CNAME accmcls.ucs.example.com
www-test.flats.accom CNAME mis-xander.mis.example.com
www.intra.accom CNAME marzipan.ucs.example.com
www.ipams.accom CNAME earn.mis.example.com
www-train.ipams.accom CNAME duich.mis.example.com
www.kxweb.accom CNAME accm-vwww2.ucs.example.com
www.livetest-catering.accom CNAME mis-xander-vwww7.mis.example.com
www.menus.accom CNAME accmcls.ucs.example.com
www-test.menus.accom CNAME mis-xander.mis.example.com
www.salisburygreen.accom CNAME accmcls.ucs.example.com
www-test.salisburygreen.accom CNAME mis-xander.mis.example.com
www.simply.accom CNAME accmcls.ucs.example.com
www.studenthomes.accom CNAME accmcls.ucs.example.com
www-test.studenthomes.accom CNAME mis-xander.mis.example.com
www.test-catering.accom CNAME mis-xander-vwww5.mis.example.com
www.test-contracts.accom CNAME mis-xander-vwww2.mis.example.com
www.test-kxweb.accom CNAME mis-xander-vwww3.mis.example.com
www.test2-kxweb.accom CNAME mis-xander.mis.example.com
www.testappform.accom CNAME mis-xander.mis.example.com
www.accom CNAME kb-iis-1.ucs.example.com
www.accord CNAME webhost1.is.example.com
ace NS dns0.inf.example.com
ace NS dns1.inf.example.com
ace NS dns2.inf.example.com
ace NS lewis.ucs.example.com
ace NS cancer.ucs.example.com
ace NS xlab-0.example.com
acf NS lewis.ucs.example.com
acf NS cancer.ucs.example.com
www.acss CNAME spike.mis.example.com
activedir NS thanatos.activedir.example.com
thanatos.activedir A 129.215.149.215
demas.activedirdev A 129.215.149.182
www.intra.admin CNAME spike.mis.example.com
adtest NS dns0.inf.example.com
adtest NS dns1.inf.example.com
adtest NS dns2.inf.example.com
adtest NS lewis.ucs.example.com
adtest NS cancer.ucs.example.com
adtest NS xlab-0.example.com
aers MX 10 firstclass2.comcation.example.com
www.aers CNAME morse.ucs.example.com
ai MX 5 virtualrelay.inf.example.com
ai MX 7 renko.ucs.example.com
ai MX 7 pascoe.ucs.example.com
ai MX 7 dalziel.ucs.example.com
aiai NS dns0.inf.example.com
aiai NS dns1.inf.example.com
aiai NS dns2.inf.example.com
aiai NS lewis.ucs.example.com
aiai NS cancer.ucs.example.com
aiai NS xlab-0.example.com
aifh MX 5 virtualrelay.inf.example.com
aifh MX 7 renko.ucs.example.com
aifh MX 7 pascoe.ucs.example.com
aifh MX 7 dalziel.ucs.example.com
aipna MX 5 virtualrelay.inf.example.com
aipna MX 7 renko.ucs.example.com
aipna MX 7 pascoe.ucs.example.com
aipna MX 7 dalziel.ucs.example.com
aisb MX 5 virtualrelay.inf.example.com
aisb MX 7 renko.ucs.example.com
aisb MX 7 pascoe.ucs.example.com
aisb MX 7 dalziel.ucs.example.com
aiva MX 5 virtualrelay.inf.example.com
aiva MX 7 renko.ucs.example.com
aiva MX 7 pascoe.ucs.example.com
aiva MX 7 dalziel.ucs.example.com
www.alwaleed CNAME webhost1.is.example.com
www.alzscotdrc CNAME vox.ppls.example.com
ana NS dns0.inf.example.com
ana NS dns1.inf.example.com
ana NS dns2.inf.example.com
ana NS lewis.ucs.example.com
ana NS cancer.ucs.example.com
ana NS xlab-0.example.com
www.anaesthesiapractice CNAME srv1ltsmvm.mvm.example.com
Bu şekilde devam edip gidiyor.Zone transfer işlemi için host komutu,dnsenum.pl ve fierce.pl gibi perl scriptleri de kullanılabilir.
Bu açıklıktan korunmamız için yapmamız gereken çok basit.Örnek olarak BIND DNS server verdim.
Sadece localhost ve secondary DNS server zone transfer yapmasını ve diğer uzak sistemlerin isteklerinin deny edilmesini istiyorsak.
/etc/named.conf içerisinde allow-transfer için source IP adresleri giriyoruz.Hepsi bu kadar.
options {
directory "/usr/local/named"; // directory for zone files
allow-transfer {
127.0.0.1; // localhost
35.6.42.6; // secondary DNS server
};
};
Bundan sonra yalnızca burada belirtilen IP adresleri zone transfer gerçekleştirebilecektir diğer tüm IP adreslerin zone transfer istekleri deny edilecektir.Zone transfer TCP 53 portu üzerinden gerçekleştirilmektedir.Bu elbette TCP 53 portu açık her DNS serverdan zone transfer yapacağız anlamına gelmemektedir.Yukarıdaki örnekteki gibi izinler yalnızca belli IP adreslerine verilmiş olabilir.
Özellikle web uygulamarı için tüm test platformlarının sub domainler altında olması root domain'i hedef almış bir attacker için önemli bir başlangıç olacaktır.
YanıtlaSiltest ortamları,ftp adresleri,webmail vs vs..birine atacağı webshell,ele geçireceği account veya bulacağı sql injection olayı bitirir zaten..
YanıtlaSil