[Owasp-leaders] Zone transfer

Laurence Casey larry.casey at owasp.org
Fri Apr 9 10:18:06 EDT 2010



I have tried working with my current DNS provider on this issue without
success. They feel this is not a security risk. The risk is when people use
DNS for security reasons. As you can see yourself if you do a zone transfer
that nothing is private or used for security. You also mention zone
transfers without authentication? Who should be granted this authenticated
access? If I had security related information in our records, I would
certainly questions everything about OWASP's infrastructure. I use a third
party DNS provider who happens to also be a major hosting company and has
nothing to do with our servers. Also note, that I have been using this same
DNS provider for 10+ years. In those 10+ years, how many times has OWASP
been attacked using this zone transfer? What exploits have been the result? 


If somebody on the forum would like to offer a DNS server that does not
allow zone transfers, I will be more than happy to transfer all the OWASP
domain names to them.




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ralph Durkee
Sent: Thursday, April 08, 2010 9:03 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Zone transfer


It doesn't make sense for OWASP to use a DNS server that allows zone
transfers without authentication. This is one of the basics in terms of DNS
It's not the kind of open that should be OWASP.   If the name servers fail
in this are there other issues?  We shouldn't we ask about the security and
then get permission for a test? Most of what we do depends on DNS being

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Rochester OWASP

Rory McCune wrote: 

On Thu, Apr 8, 2010 at 9:49 AM, OWASP Geneva Chapter
 <mailto:antonio.fontes at owasp.org> <antonio.fontes at owasp.org> wrote:

On 8 April 2010 09:00, Erlend Oftedal  <mailto:Erlend.Oftedal at bekk.no>
<Erlend.Oftedal at bekk.no> wrote:

I see this message popping up from time to time on twitter, that owasp.org
is vulnerable to zone transfer.
I guess that's something we want to fix.
"RT @maxisoler: +1 WTF?! RT: @Jabra: Wtf owasp.org is still vulnerable to
zone transfer!"

Hi Leaders,
The initial security requirement dictates that zone content disclosure
should be restricted in order to reduce the risk of hidden/internal
hosts disclosure (which we could even argue it's a "security by
obfuscation" practice).
Keeping it open might also mean we did our work correctly, applied
basic risk assessment, and stick to our "openness" principle.
(okay okay, devil's advocate now heading towards the exit door)

I'd agree in that there shouldn't be "private" information available
in public DNS as there are other ways (eg, DNS brute-force) to get
access to that kind of information.
That said, from a PR perspective, it may not look good for us to have
something present in our security posture which is generally
considered a "bad thing", so probably worth changing...
my 0.02 of local currency.
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100409/2fabbf21/attachment-0001.html 

More information about the OWASP-Leaders mailing list