A Brief Look at DNS Zone Transfer for Alexia’s Top 1M Domains30 Apr 2015
The [Scans.IO] project is hosting a new dataset courtesy of Mr. Hanno Böck. This data contains the result of scans against Alexa’s top 1 million domains looking for DNS servers which have allowed unauthenticated requests for Zone Transfer.
The purpose of DNS Zone Transfer (AXFR) is to replicate DNS data across DNS servers. Usually this information is protected with ACLs, but there are many DNS servers which allow unauthenticated requests and provide potentially sensitive information. This information is often used by hackers while conducting recon.
US-CERT even put out an alert in April of 2015. – https://www.us-cert.gov/ncas/alerts/TA15-103A
I parsed through the files very briefly using standard command-line tools and found some interesting things.
- There are 67,647 domains exposed or 6.7% of the Alexa top 1 million scanned.
- There are 47,025 unique DNS servers listed.
- 451 (or .95%) appear to contain records indicating the use of DNSSEC.
- 2,282 of the records contain the word intranet
- 285 of the records contain HINFO data
- There are 15,382 HINFO records
- 102 of the DNS servers use the .gov TLD.
- Of these, 8,166 records are exposed.
- 779 records contain the word password
- Of these, 58 contain both the words password and reset
- 39.5% are .com domain servers
- 26,083 records contain the word proxy.
Top 15 DNS Domains by Count of Exposed Domains
- xserver.jp – 11022
- secure.net – 2003
- mainnameserver.com – 1689
- pointhq.com – 1187
- linuxpl.com – 1010
- firstvds.ru – 920
- sedoparking.com – 902
- sixcore.ne.jp – 878
- wpx.ne.jp – 875
- dnsexit.com – 820
- a2hosting.com – 727
- parklogic.com – 722
- netsons.com.- 662
- 1gb.ru – 597
- linode.com – 508
Number of DNS Servers by TLD
- .com – 18598
- .net – 5982
- .ru – 3380
- .org – 1384
- .pl – 1237
- .br – 1170
- .jp – 1168
- .ir – 970
- .de – 628
- .uk – 551
- .nl – 532
- .ua – 514
- .tw – 514
- .kr – 479
- info – 444
Looks like there may be some nasty domains with enough traffic to be listed in the Alexa top 1 million too:
axfr loginj.com @ns1-king.vivawebhost.com.
This domain has about 1400 subdomains– all appearing to be phishing related.
According to Alexa, 91.5% of visitors to this site are from the US.
While the site itself is registered to someone in Australia
Registrant City: Deer Park Registrant State/Province: Victoria Registrant Postal Code: 3023 Registrant Country: Australia
So now what?
I did reach out to US-CERT and to one of the VPS providers on the list.
The response from the provider was:
Thank you for bringing this to our attention. While our servers are configured to allow AXFR, the ability to perform them is disabled by default — it is the responsibility of the user to configure their ACL’s to allow access to the servers they wish to allow replication between.[…]
I did not receive anything from US-CERT. However, with the alert above, I’m assuming they are aware of the .gov exposure.
Anyway, the scans are located here: https://scans.io/study/hanno-axfr.
If you find anything interesting, let me know.
Earlier versions of this post credited Rapid7 for this data. The data was instead gathered by Mr. Hanno Böck and is being hosted by scans.io