[Owasp-leaders] Zone transfer

Vishal Garg vishalgrg at gmail.com
Sat Apr 10 22:04:36 EDT 2010


Hi All,

I am a pentester and recently I have not come accross a security concious
ISP allowing zone transfers for a domain. Agreed, that all of the OWASP
domains are already public and there is no sensitive information to disclose
via zone transfers, but I agree with Ralphs point below that zone transfer
is a very basic check that can be found in any security checklist and for
the sake of maintaining OWASP's position in security, I would expect my ISP
to precent any unauthorized zone transfers. This would not work just for
OWASP, but for other clients of that ISP as well for who it might be
revealing potentially sensitive information.

- Vishal


On Fri, Apr 9, 2010 at 5:47 PM, Ralph Durkee <rd at rd1.net> wrote:

>  The primary motive for the attack is information disclosure, so there is
> some validity to the counter argument. However it clearly falls in the
> unnecessary feature / service that should be limited, and would be found in
> even the most basic security checklist for DNS.  I would think that any ISP,
> especially one that makes any claim  for security would find it easier to do
> the right thing and limit zone transfers rather than have to continue to
> explain to any auditors and customers why they are allowing it.  Especially
> since it's difficult to know the sensitivity of your customers DNS
> information.  Denied transfers are also an useful indication of
> inappropriate activity.
>
> The authentication  I referred to would be for the secondary name servers
> to use digital signatures to request transfers.
> The Center for Internet Security BIND benchmark gets into the how-to of it
> for BIND.   (Disclosure:  I wrote the original version). I would also be
> willing to donate DNS hosting.
>
>
> -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
> Rochester OWASP
>
>
>
> Laurence Casey wrote:
>
>  Ralph,
>
>
>
> I have tried working with my current DNS provider on this issue without
> success. They feel this is not a security risk. The risk is when people use
> DNS for security reasons. As you can see yourself if you do a zone transfer
> that nothing is private or used for security. You also mention zone
> transfers without authentication? Who should be granted this authenticated
> access? If I had security related information in our records, I would
> certainly questions everything about OWASP’s infrastructure. I use a third
> party DNS provider who happens to also be a major hosting company and has
> nothing to do with our servers. Also note, that I have been using this same
> DNS provider for 10+ years. In those 10+ years, how many times has OWASP
> been attacked using this zone transfer? What exploits have been the result?
>
>
>
> If somebody on the forum would like to offer a DNS server that does not
> allow zone transfers, I will be more than happy to transfer all the OWASP
> domain names to them.
>
>
>
> --Larry
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [
> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
> *On Behalf Of *Ralph Durkee
> *Sent:* Thursday, April 08, 2010 9:03 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Zone transfer
>
>
>
> It doesn't make sense for OWASP to use a DNS server that allows zone
> transfers without authentication. This is one of the basics in terms of DNS
> security.
> It's not the kind of open that should be OWASP.   If the name servers fail
> in this are there other issues?  We shouldn't we ask about the security and
> then get permission for a test? Most of what we do depends on DNS being
> trusted.
>
>  -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
>
> Rochester OWASP
>
>
>
>
>
> Rory McCune wrote:
>
> On Thu, Apr 8, 2010 at 9:49 AM, OWASP Geneva Chapter
>
> <antonio.fontes at owasp.org> <antonio.fontes at owasp.org> wrote:
>
>
>
>  On 8 April 2010 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no> <Erlend.Oftedal at bekk.no> wrote:
>
>
>
>  Hi
>
> I see this message popping up from time to time on twitter, that owasp.org
>
> is vulnerable to zone transfer.
>
> I guess that’s something we want to fix.
>
> “RT @maxisoler: +1 WTF?! RT: @Jabra: Wtf owasp.org is still vulnerable to
>
> zone transfer!”
>
> Erlend
>
>
>
>  Hi Leaders,
>
>
>
> The initial security requirement dictates that zone content disclosure
>
> should be restricted in order to reduce the risk of hidden/internal
>
> hosts disclosure (which we could even argue it's a "security by
>
> obfuscation" practice).
>
>
>
> Keeping it open might also mean we did our work correctly, applied
>
> basic risk assessment, and stick to our "openness" principle.
>
>
>
> (okay okay, devil's advocate now heading towards the exit door)
>
>
>
> Antonio
>
>
>
>
>
>  I'd agree in that there shouldn't be "private" information available
>
> in public DNS as there are other ways (eg, DNS brute-force) to get
>
> access to that kind of information.
>
>
>
> That said, from a PR perspective, it may not look good for us to have
>
> something present in our security posture which is generally
>
> considered a "bad thing", so probably worth changing...
>
>
>
> my 0.02 of local currency.
>
>
>
> cheers
>
>
>
> Rory
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>  ------------------------------
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Vishal Garg
Web Security Specialist

Blog: http://www.ethicalhack.co.uk
Twitter: http://www.twitter.com/vishalgrg
Linkedin: http://www.linkedin.com/in/vishalgrg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100411/6e9e2a08/attachment.html 


More information about the OWASP-Leaders mailing list