                                                   JPCERT-AT-2016-0002
                                                             JPCERT/CC
                                                            2016-01-12

                  <<< JPCERT/CC Alert 2016-01-12 >>>

Alert regarding possible information leakage due to improper DNS zone transfer settings

        https://www.jpcert.or.jp/english/at/2016/at160002.html


I. Overview

  Improperly configured authoritative name servers may respond to
zone transfer requests from unexpected IP addresses, which may lead
to the disclosure of zone information to a third party.

  Zone information contains zone management information (server name,
IP address, etc.) and when such information is disclosed, the 
potential threat to an organization's server and network security may
increase since the organization's server and network configurations
may be speculated.

  JPCERT/CC has obtained information that a number of domestic 
authoritative name servers may potentially disclose zone information. 
It is recommended that system administrators check DNS server 
configurations, and change to an appropriate configuration if necessary.


II. Solution

  When configuring the transfer of zone information in authoritative
name servers, it is recommended to restrict zone transfer requests from
unexpected IP addresses in order to prevent information from being
leaked unknowingly.

  - Configure the primary server to accept zone transfer request from
    secondary server's IP address only.
  - Configure the secondary server to reject zone transfer request from
    any IP address.

  The method to configure depends on the DNS server software in use. 
Consider applying the changes after thorough testing. For more 
information, refer to the following:

  Japan Registry Services (JPRS)
  Configuration Guide: How to restrict responses to zone transfer requests [for BIND] (Japanese)
  http://jprs.jp/tech/notice/2016-01-12-fixing-bind-zonetransfer.html
  
  Microsoft Corporation
  Change zone transfer configuration
  https://technet.microsoft.com/en-us/library/cc771652.aspx

III. References

    Japan Registry Services (JPRS)
    Risk of information leakage caused by misconfiguration of authoritative name server and how to recheck the settings (Japanese)
    http://jprs.jp/tech/security/2016-01-12-unauthorized-zone-transfer.html
    
    Japan Network Information Center (JPNIC)
    Alert regarding zone transfer settings in authoritative name servers (Japanese)
    https://www.nic.ad.jp/ja/topics/2016/20160112-01.html
    
    US-CERT
    DNS Zone Transfer AXFR Requests May Leak Domain Information
    http://www.us-cert.gov/ncas/alerts/TA15-103A

  If you have any information regarding this alert, please contact
JPCERT/CC.


======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/