atechdad make it so

A Brief Look at DNS Zone Transfer for Alexia’s Top 1M Domains

The [Scans.IO][1] project is hosting a new dataset courtesy of Mr. Hanno Böck. This data contains the result of scans against Alexa’s top 1 million domains looking for DNS servers which have allowed unauthenticated requests for Zone Transfer.

About AXFR

The purpose of DNS Zone Transfer (AXFR) is to replicate DNS data across DNS servers. Usually this information is protected with ACLs, but there are many DNS servers which allow unauthenticated requests and provide potentially sensitive information. This information is often used by hackers while conducting recon.

US-CERT even put out an alert in April of 2015. – https://www.us-cert.gov/ncas/alerts/TA15-103A

The Numbers

I parsed through the files very briefly using standard command-line tools and found some interesting things.

  • There are 67,647 domains exposed or 6.7% of the Alexa top 1 million scanned.
  • There are 47,025 unique DNS servers listed.
  • 451 (or .95%) appear to contain records indicating the use of DNSSEC.
  • 2,282 of the records contain the word intranet
  • 285 of the records contain HINFO data
    • There are 15,382 HINFO records
  • 102 of the DNS servers use the .gov TLD.
    • Of these, 8,166 records are exposed.
  • 779 records contain the word password
    • Of these, 58 contain both the words password and reset
  • 39.5% are .com domain servers
  • 26,083 records contain the word proxy.

Top 15 DNS Domains by Count of Exposed Domains

  1. xserver.jp – 11022
  2. secure.net – 2003
  3. mainnameserver.com – 1689
  4. pointhq.com – 1187
  5. linuxpl.com – 1010
  6. firstvds.ru – 920
  7. sedoparking.com – 902
  8. sixcore.ne.jp – 878
  9. wpx.ne.jp – 875
  10. dnsexit.com – 820
  11. a2hosting.com – 727
  12. parklogic.com – 722
  13. netsons.com.- 662
  14. 1gb.ru – 597
  15. linode.com – 508

Number of DNS Servers by TLD

  1. .com – 18598
  2. .net – 5982
  3. .ru – 3380
  4. .org – 1384
  5. .pl – 1237
  6. .br – 1170
  7. .jp – 1168
  8. .ir – 970
  9. .de – 628
  10. .uk – 551
  11. .nl – 532
  12. .ua – 514
  13. .tw – 514
  14. .kr – 479
  15. info – 444

Malicious Sites

Looks like there may be some nasty domains with enough traffic to be listed in the Alexa top 1 million too:

axfr loginj.com @ns1-king.vivawebhost.com.

This domain has about 1400 subdomains– all appearing to be phishing related.

Examples:

  • autoconfig.wellsfargoonline.loginj[.]com
  • www.yahooemail.loginj[.]com
  • www.walmartcareers.loginj[.]com

According to Alexa, 91.5% of visitors to this site are from the US.

[alexa][2]

While the site itself is registered to someone in Australia

Registrant City: Deer Park
Registrant State/Province: Victoria
Registrant Postal Code: 3023
Registrant Country: Australia

So now what?

I did reach out to US-CERT and to one of the VPS providers on the list.

The response from the provider was:

Thank you for bringing this to our attention. While our servers are configured to allow AXFR, the ability to perform them is disabled by default — it is the responsibility of the user to configure their ACL’s to allow access to the servers they wish to allow replication between.[…] 

I did not receive anything from US-CERT. However, with the alert above, I’m assuming they are aware of the .gov exposure.

Anyway, the scans are located here: https://scans.io/study/hanno-axfr.

If you find anything interesting, let me know.

Correction:

Earlier versions of this post credited Rapid7 for this data. The data was instead gathered by Mr. Hanno Böck and is being hosted by scans.io

[1]: https://scans.io/ [2]: https://atechdad.com/wp-content/uploads/2015/04/alexa.png