this post was submitted on 21 Jul 2023
1462 points (98.9% liked)

Technology

59600 readers
4201 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?

[โ€“] [email protected] 3 points 1 year ago* (last edited 1 year ago)

If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a 'bad actor' DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.

Let's say you're Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we're skipping caching & non-authoritative answers for brevity):

  1. You type "lemmy.world" into your browser
  2. Your computer initiates a stub resolution for lemmy.world. (the trailing dot here isn't a period. It's the "true" FQDN)
  3. Computer looks at hosts file and doesn't see anything
  4. DNS packets are sent to your configured DNS server. If you don't have one configured, DHCP already configured it for you
  5. Your DNS server performs a recursive search for world by asking the root zone where the "world" Name Serer is
  6. root zone resolves world as:

world. 3600 IN NS v0n0.nic.world.

world. 3600 IN NS v0n1.nic.world.

world. 3600 IN NS v0n2.nic.world.

world. 3600 IN NS v0n3.nic.world.

world. 3600 IN NS v2n0.nic.world.

world. 3600 IN NS v2n1.nic.world.

  1. Your DNS server reaches out to one of those Name Server's (That's what the NS record is for) and asks it where "lemmy" is
  2. world Name Server responds with:

lemmy.world. 300 IN A 172.67.218.212

lemmy.world. 300 IN A 104.21.53.208

  1. Your DNS server contacts your computer and serves it those IP addresses. (A record's are domain name to IP Address)

Now lets say there's a DNS spoof attack:

  1. Before the "world" server can get back to your DNS server, the hackers server interjects with it's own authoritative claim that lemmy is here:

lemmy.world. 300 IN A [attack site IP]

  1. Your DNS server contacts your computer and serves it that IP address. Your computer then contacts the attack site and you get a virus.