While it seems like a bad idea for attackers to be able to use DNSSEC to enumerate subdomains, I cannot think of a specific attack that this information enables, which would not be doable without this information.
Asked
Active
Viewed 245 times
1 Answers
2
This isn't about a specific attack. Before an attack, there is usually thorough information gathering about a target. This is where the insecurity exists.
Vulnerable systems on a network are vulnerable whether you have the domain or not. It's a matter of having a list of nodes with often times verbose naming conventions that give away more information then is needed.
It can provide information on network design, location of devices, types of devices, and much more. It doesn't need to be used in a cyber attack either, this type of information could prove valuable in a social engineering attack.
When this type of information used to be widely available, doing a host -l was a standard step in surveying a target. That has since changed and we shouldn't take steps backwards. There is no reason this information should be disclosed to the public internet.
David Houde
- 5,524
- 1
- 28
- 22
-
-
host -l uses a zone transfer to enumerate all sub domains. Most DNS resolvers now deny this behavior by default, such as with Bind's allow-transfer. – David Houde May 26 '15 at 20:18
-
So what other ways are there to get the list of subdomains besides bruteforcing? – Pacerier Jul 02 '15 at 16:21
-
A zone transfer is the only guaranteed way to get a complete list of records. You can effectively zone walk if the server has DNSSEC enabled with NSEC (rather than using NSEC3, which was implemented specifically to prevent it). – DoubleD Dec 17 '18 at 22:15