US-CERT is urging administrators of Domain Name System servers to check whether their machines are misconfigured to respond to global Asynchronous Transfer Full Range (AXFR) requests and thus leak potentially sensitive information.
The issue is not new, but has recently received renewed attention as the results of a scan of Alexa’s Top 1 million websites revealed that over 48,000 unique nameservers are misconfigured to allow this.
“Asynchronous Xfer Full Range is a mechanism used by the DNS system to transfer zone information for a domain from a master (primary) DNS server to several slave (secondary) DNS servers. A slave sends an AXFR-request to the master which replies with all DNS information associated to a domain (zone),” Internetwache researchers explained.
“If the master server does not validate the source of an AXFR request, anyone will be able to download the DNS zone file from this server.”
This information can then reveal the zone’s internal network structure and other potentially sensitive information that can be used to mount targeted attacks agains DNS servers.
In order to remove this risk, admins are advised to configure their DNS server to respond only to AXFR requests from known IP addresses.