March 23, 2010 at 01:46Vulnerability xname.org
Recently discovered an unpleasant vulnerability on the popular DNS hosting XName.org.
The fact is that ns2.xname.org allows you to transfer any zone located on it (AXFR request), regardless of where this request comes from.
For example: When requesting a zone from any other authoritative DNS server, we get the following: From which we can conclude that the developers simply did not want to give this zone away. I checked this assumption on my domains (transfer is allowed only for authoritative servers) - the same thing allows you to get the entire zone, regardless of whether it is allowed in the configuration or not. Thus, ~ 175,000 domains using XName as DNS servers are exposed to this danger.
I want to give advice to users of this service: be careful and do not write anything secret into the zone. And if there are “secret” subdomains, take care of authorization on them.
Thanks for attention.
PS: I wrote a letter to the administration of the service with a description of the problem and a request to fix it on Wednesday, but so far no answer, no greetings ...
The fact is that ns2.xname.org allows you to transfer any zone located on it (AXFR request), regardless of where this request comes from.
For example: When requesting a zone from any other authoritative DNS server, we get the following: From which we can conclude that the developers simply did not want to give this zone away. I checked this assumption on my domains (transfer is allowed only for authoritative servers) - the same thing allows you to get the entire zone, regardless of whether it is allowed in the configuration or not. Thus, ~ 175,000 domains using XName as DNS servers are exposed to this danger.
porfel@porfel-laptop:~$ dig xname.org @ns2.xname.org axfr
; <<>> DiG 9.6.1-P2 <<>> xname.org @ns2.xname.org axfr
;; global options: +cmd
xname.org. 600 IN SOA ns0.xname.org. yann.hirou.org. 2009030501 600 1800 3600000 10800
xname.org. 600 IN TXT "v=spf1 a:vhosting.freexion.net a:ns0.xname.org a:ns1.xname.org a:ns2.xname.org a:g1.xname.org ip4:195.234.42.0/24 ~all"
xname.org. 600 IN NS ns0.xname.org.
xname.org. 600 IN NS ns1.xname.org.
xname.org. 600 IN NS ns2.xname.org.
xname.org. 600 IN NS ns3.xtremeweb.de.
xname.org. 600 IN MX 10 mxg1.freexion.net.
xname.org. 600 IN MX 20 mx2.oav.net.
xname.org. 600 IN A 92.243.14.172
demo.xname.org. 600 IN CNAME www.xname.org.
dev.xname.org. 600 IN CNAME www.xname.org.
error.xname.org. 600 IN A 193.218.105.155
g1.xname.org. 600 IN A 92.243.14.172
myip.xname.org. 600 IN CNAME www.xname.org.
ns0.xname.org. 600 IN A 195.234.42.1
ns1.xname.org. 600 IN A 87.98.164.164
ns2.xname.org. 600 IN AAAA 2a01:e0b:1:64:240:63ff:fee8:6155
ns2.xname.org. 600 IN A 88.191.64.64
o1.xname.org. 600 IN A 91.121.207.58
o1b.xname.org. 600 IN A 87.98.135.241
source.xname.org. 600 IN CNAME www.xname.org.
test.xname.org. 600 IN NS ns0.xname.org.
test.xname.org. 600 IN NS ns1.xname.org.
url.xname.org. 600 IN CNAME www.xname.org.
www.xname.org. 600 IN CNAME g1.xname.org.
xname.org. 600 IN SOA ns0.xname.org. yann.hirou.org. 2009030501 600 1800 3600000 10800
;; Query time: 147 msec
;; SERVER: 88.191.64.64#53(88.191.64.64)
;; WHEN: Tue Mar 23 01:36:15 2010
;; XFR size: 26 records (messages 3, bytes 791)
porfel@porfel-laptop:~$
porfel@porfel-laptop:~$ dig xname.org @ns0.xname.org axfr
; <<>> DiG 9.6.1-P2 <<>> xname.org @ns0.xname.org axfr
;; global options: +cmd
; Transfer failed.
porfel@porfel-laptop:~$ I want to give advice to users of this service: be careful and do not write anything secret into the zone. And if there are “secret” subdomains, take care of authorization on them.
Thanks for attention.
PS: I wrote a letter to the administration of the service with a description of the problem and a request to fix it on Wednesday, but so far no answer, no greetings ...