Large-scale Analysis of Infrastructure-leaking DNS Servers

Dennis Tatang, Carl Schneider, Thorsten Holz

Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Gothenburg, Sweden, June 2019


Abstract

The Domain Name System (DNS) is a fundamental backbone service of the Internet. In practice, this infrastructure often shows flaws, which indicate that measuring the DNS is important to understand potential (security) issues. Several works deal with the DNS and present such problems, mitigations, and attack vectors. A so far overlooked issue is the fact that DNS servers might answer with information about internal network information (e.g., hostnames) to external queries. This behavior results in a capability to perform an active network reconnaissance without the need for individual vulnerabilities or exploits. Analyzing how public DNS services might involuntarily disclose sensitive information ties in with the trust we have on Internet services.

To investigate this phenomenon, we conducted a systematic measurement study on this topic. We crawl all public reachable DNS servers in 15 scans over a period of almost six months and analyze up to 574,000 DNS servers per run that are configured in a way that might lead to this kind of information leakage. With this large-scale evaluation, we show that the amount of this possible infrastructure leaking DNS servers is on average almost 4 percent over all of our scans on every reachable DNS servers on the Internet. Based on our newest scan, the countries with most of these servers are Romania, China, and the US. In these countries, the share of such servers among of all reachable servers is about 15% in Romania, 9% in China, and 2.9% in the US. A detailed analysis of the responses reveals that not all answers provide useful information for an adversary. However, we found that up to 158,000 DNS servers provide potentially exploitable information in the wild. Hence, this measurement study demonstrates that the configuration of a DNS server should be executed carefully; otherwise, it may be possible to disclose too much information.

[GitHub] [PDF]

tags: DNS