Extending attack surface in distributed environments
I am currently working in the RCNTEC company where I have a deal with distributed environments everyday. Once I had to work with the ISC BIND to implement DNS service and asked myself - are there only those DNS servers for domain are used, that are listed as NS servers for this domain? Are there really only two nameservers for ‘yandex.ru’ zone and four for ‘google.com’ zone?
Obviously, no. I think that a lot of companies, that have their work with Internet services, have distibuted DNS infrastructure standing behind load balancer, firewall or some kind of reverse proxy.
But how can we solve the mystery and get some info about backend DNS servers?
It was a time to dive into DNS.
Chaosnet
You can read more about Chaosnet here. In two words, it is another network protocol working on Layer 3 of the ISO OSI.
Regarding DNS, Chaosnet was recognized as one of the network classes (with code CH) like IN (for Internet) and HS (for Hesiod).
Chaosnet is very interesting, because CH class is used frequently to serve zone ‘bind.’ containing several useful info about DNS server. I think that you know about ‘version.bind.’ record that allows you to determine DNS server version.
There is commonly used DNS fingerprint technique based on this record.
As you can see above, I requested Chaosnet TXT-record ‘version.bind.’ from my own DNS-server and got the response containing my DNS server’s version.
We can get DNS server version, but we still couldn’t enumerate DNS servers behind a relay. Also, a lot of system administrators know about this ‘feature’ and know how to fix this and hide version.
Even if our target’s system administrator has not patched zone ‘bind.’, we can’t enumerate DNS anyway - this is only version, not IP or anything similar.
Another CH TXT-record
TXT-record ‘hostname.bind’ is another record available in CH zone ‘bind.’. Let’s see, what happens if we will request this record from our DNS-server:
Great! We got server hostname. In my case, hostname is only internal server name. But what about distributed environments?
My experience said that this is very convenient and common to have servers hostnames equals with their external DNS names. In this case, with internal hostname we will get external DNS name too. And we can simply resolve external DNS name to obtain server IP.
Unhidens
I had written a small utility to run ‘dig’ against relay to determine versions, hostnames and resolve received hostnames.
Let’s see output of unhidens launched against russian domain registar’s nameserver:
zone 'bind' {
type master;
file 'bind.dns';
allow-query { any; };
};
And create ‘bind.dns’ zone-file:
$TTL 1D
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2017082702 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
version.bind. CHAOS TXT "is newest available version!"
authors.bind. CHAOS TXT "are better coders than I. :)"
hostname.bind. CHAOS TXT "unknown for me."
This is not the easiest way to hide your version and hostname, but with this configuration you are able to log requests to the ‘bind.’ zone - and track all clients trying to request sensitive info about your machines.