[Owasp-leaders] Zone transfer

Ralph Durkee rd at rd1.net
Fri Apr 9 15:12:54 EDT 2010


I think the main risk comes not so much from the zone transfers, but if 
they don't seem to understand the need to implement minimal features and 
least privileged then what else is it they may not be understanding or 
may not be doing.  Did the ISP provide a reason why zone transfers need 
to be wide open for the OWASP domain?  

-- Ralph



Laurence Casey wrote:
>
> I agree entirely on the reason for not allowing zone transfers. 
> BUT...... Allowing them in itself is not a "Security Risk". It is how 
> people use DNS that becomes the risk. Just a blanket statement of not 
> allowing them is no justification for considering a site insecure.
>
>  
>
> Agree, not knowing of a compromise is irrelevant. Rephrase- What 
> compromise would have occurred? Nothing sensitive has ever been in our 
> DNS. And as long as I am in control of the DNS records, nothing will 
> ever be. I can guarantee that.
>
>  
>
> All that and, if it were my DNS servers, I would not allow it just so 
> people can't tell me this same information. I'm still not seeing the 
> vulnerability here, but I would be happy to take up Ralph's offer for 
> a DNS server that does not allow zone transfers.
>
>  
>
> --Larry
>
>  
>
> *From:* owasp-leaders-bounces at lists.owasp.org 
> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Peter 
> Perfetti
> *Sent:* Friday, April 09, 2010 12:59 PM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Zone transfer
>
>  
>
> My $.02:
>
> Zone transfers are restricted to prevent unauthorized disclosure of 
> internal machines and network enumeration.
>
> The fact that no one knows of a past compromise is irrelevant. It is a 
> potential point of exploitation. Just because you don't know about a 
> past breach doesn't mean it hasn't occurred.
>
> Perhaps there is nothing sensitive in there now, but can anyone 
> guarantee that no sensitive information will ever be present?
>
> If a service provider "feels" then perhaps they're not "thinking". 
> Restricting zone transfers is considered "best practice" for a reason. 
> I usually include DNS in risk assessments and pen tests, and try to 
> exploit them and whatever information I find whenever possible.
>
> There is also the reputational aspect that a security-centric 
> organization does not follow network and system best security practice 
> when we preach our own standards.
>
> I'd be happy to weigh in more on service provider criteria and 
> oversight if anyone wishes.
>
> -
> Pete
>
>
> -
> Peter Perfetti
> Chapter Leader
> NY/NJ Metro Chapter
> OWASP
> peter.perfetti at owasp.org <mailto:peter.perfetti at owasp.org>
> -
>
> On Fri, Apr 9, 2010 at 9:18 AM, Laurence Casey <larry.casey at owasp.org 
> <mailto:larry.casey at owasp.org>> wrote:
>
> Ralph,
>
>  
>
> I have tried working with my current DNS provider on this issue 
> without success. They feel this is not a security risk. The risk is 
> when people use DNS for security reasons. As you can see yourself if 
> you do a zone transfer that nothing is private or used for security. 
> You also mention zone transfers without authentication? Who should be 
> granted this authenticated access? If I had security related 
> information in our records, I would certainly questions everything 
> about OWASP's infrastructure. I use a third party DNS provider who 
> happens to also be a major hosting company and has nothing to do with 
> our servers. Also note, that I have been using this same DNS provider 
> for 10+ years. In those 10+ years, how many times has OWASP been 
> attacked using this zone transfer? What exploits have been the result?
>
>  
>
> If somebody on the forum would like to offer a DNS server that does 
> not allow zone transfers, I will be more than happy to transfer all 
> the OWASP domain names to them.
>
>  
>
> --Larry
>
>  
>
> *From:* owasp-leaders-bounces at lists.owasp.org 
> <mailto:owasp-leaders-bounces at lists.owasp.org> 
> [mailto:owasp-leaders-bounces at lists.owasp.org 
> <mailto:owasp-leaders-bounces at lists.owasp.org>] *On Behalf Of *Ralph 
> Durkee
> *Sent:* Thursday, April 08, 2010 9:03 AM
> *To:* owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>
> *Subject:* Re: [Owasp-leaders] Zone transfer
>
>  
>
> It doesn't make sense for OWASP to use a DNS server that allows zone 
> transfers without authentication. This is one of the basics in terms 
> of DNS security.
> It's not the kind of open that should be OWASP.   If the name servers 
> fail in this are there other issues?  We shouldn't we ask about the 
> security and then get permission for a test? Most of what we do 
> depends on DNS being trusted. 
>
> -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
> Rochester OWASP
>  
>
>
>
> Rory McCune wrote:
>
> On Thu, Apr 8, 2010 at 9:49 AM, OWASP Geneva Chapter
> <antonio.fontes at owasp.org> <mailto:antonio.fontes at owasp.org> wrote:
>   
>
>     On 8 April 2010 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no> <mailto:Erlend.Oftedal at bekk.no> wrote:
>
>         
>
>         Hi
>
>         I see this message popping up from time to time on twitter, that owasp.org <http://owasp.org>
>
>         is vulnerable to zone transfer.
>
>         I guess that's something we want to fix.
>
>         "RT @maxisoler: +1 WTF?! RT: @Jabra: Wtf owasp.org <http://owasp.org> is still vulnerable to
>
>         zone transfer!"
>
>         Erlend
>
>               
>
>     Hi Leaders,
>
>      
>
>     The initial security requirement dictates that zone content disclosure
>
>     should be restricted in order to reduce the risk of hidden/internal
>
>     hosts disclosure (which we could even argue it's a "security by
>
>     obfuscation" practice).
>
>      
>
>     Keeping it open might also mean we did our work correctly, applied
>
>     basic risk assessment, and stick to our "openness" principle.
>
>      
>
>     (okay okay, devil's advocate now heading towards the exit door)
>
>      
>
>     Antonio
>
>      
>
>         
>
> I'd agree in that there shouldn't be "private" information available
> in public DNS as there are other ways (eg, DNS brute-force) to get
> access to that kind of information.
>  
> That said, from a PR perspective, it may not look good for us to have
> something present in our security posture which is generally
> considered a "bad thing", so probably worth changing...
>  
> my 0.02 of local currency.
>  
> cheers
>  
> Rory
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>  
>   
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100409/ab77abd2/attachment-0001.html 


More information about the OWASP-Leaders mailing list