Xname.org vulnerability
Found the other day an unpleasant vulnerability on the popular DNS hosting XName.org
The fact is that ns2.xname.org allows you to transfer any zone located on it (with an AXFR request), regardless of where the request comes from.
For example:
When requesting a zone from any other authoritative DNS server, we get the following:
')
From which it can be concluded that the developers simply did not want to give this zone.
I checked this assumption on my domains (transfer is allowed only for authoritative servers) - the same thing allows you to get the entire zone, regardless of whether it is allowed in the configuration or not.
Thus, ~ 175,000 domains that use XName as DNS servers are at risk.
I want to give advice to users of this service: be careful, and do not register anything secret in the zone. And if there are “secret” subdomains - take care of authorization for them.
Thanks for attention.
PS: A service administration letter with a description of the problem and a request to fix it was written on Wednesday, but so far neither the answer, nor the greeting ...
The fact is that ns2.xname.org allows you to transfer any zone located on it (with an AXFR request), regardless of where the request comes from.
For example:
porfel@porfel-laptop:~$ dig xname.org @ns2.xname.org axfr
; <<>> DiG 9.6.1-P2 <<>> xname.org @ns2.xname.org axfr
;; global options: +cmd
xname.org. 600 IN SOA ns0.xname.org. yann.hirou.org. 2009030501 600 1800 3600000 10800
xname.org. 600 IN TXT "v=spf1 a:vhosting.freexion.net a:ns0.xname.org a:ns1.xname.org a:ns2.xname.org a:g1.xname.org ip4:195.234.42.0/24 ~all"
xname.org. 600 IN NS ns0.xname.org.
xname.org. 600 IN NS ns1.xname.org.
xname.org. 600 IN NS ns2.xname.org.
xname.org. 600 IN NS ns3.xtremeweb.de.
xname.org. 600 IN MX 10 mxg1.freexion.net.
xname.org. 600 IN MX 20 mx2.oav.net.
xname.org. 600 IN A 92.243.14.172
demo.xname.org. 600 IN CNAME www.xname.org.
dev.xname.org. 600 IN CNAME www.xname.org.
error.xname.org. 600 IN A 193.218.105.155
g1.xname.org. 600 IN A 92.243.14.172
myip.xname.org. 600 IN CNAME www.xname.org.
ns0.xname.org. 600 IN A 195.234.42.1
ns1.xname.org. 600 IN A 87.98.164.164
ns2.xname.org. 600 IN AAAA 2a01:e0b:1:64:240:63ff:fee8:6155
ns2.xname.org. 600 IN A 88.191.64.64
o1.xname.org. 600 IN A 91.121.207.58
o1b.xname.org. 600 IN A 87.98.135.241
source.xname.org. 600 IN CNAME www.xname.org.
test.xname.org. 600 IN NS ns0.xname.org.
test.xname.org. 600 IN NS ns1.xname.org.
url.xname.org. 600 IN CNAME www.xname.org.
www.xname.org. 600 IN CNAME g1.xname.org.
xname.org. 600 IN SOA ns0.xname.org. yann.hirou.org. 2009030501 600 1800 3600000 10800
;; Query time: 147 msec
;; SERVER: 88.191.64.64#53(88.191.64.64)
;; WHEN: Tue Mar 23 01:36:15 2010
;; XFR size: 26 records (messages 3, bytes 791)
porfel@porfel-laptop:~$
When requesting a zone from any other authoritative DNS server, we get the following:
')
porfel@porfel-laptop:~$ dig xname.org @ns0.xname.org axfr
; <<>> DiG 9.6.1-P2 <<>> xname.org @ns0.xname.org axfr
;; global options: +cmd
; Transfer failed.
porfel@porfel-laptop:~$From which it can be concluded that the developers simply did not want to give this zone.
I checked this assumption on my domains (transfer is allowed only for authoritative servers) - the same thing allows you to get the entire zone, regardless of whether it is allowed in the configuration or not.
Thus, ~ 175,000 domains that use XName as DNS servers are at risk.
I want to give advice to users of this service: be careful, and do not register anything secret in the zone. And if there are “secret” subdomains - take care of authorization for them.
Thanks for attention.
PS: A service administration letter with a description of the problem and a request to fix it was written on Wednesday, but so far neither the answer, nor the greeting ...
Source: https://habr.com/ru/post/88545/
All Articles