Problem: Unexpected behavior in DNS Zone Transfers

Knowledge Base Community
, , , , ,
1

Problem

The command:

dig axfr @'dns ip address' "domain fqdn"

is used to initiate a DNS zone transfer (DNS zone replication) between DNS servers. DNS zone transfers should only be allowed between authorized DNS servers. If this command can successfully execute from any IP address, it constitutes a significant security vulnerability, as it allows unauthorized users to obtain sensitive information about the domain. This information may include:

  • A list of all machines in the domain
  • IP addresses
  • Name servers (NS)
  • Nonexistent domains (NX)

Such data could be exploited to facilitate attacks on the individual components of the domain.

In this specific case:

  • The UCS Primary server refuses the DNS zone transfer:
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> axfr @x.x.x.241 domain.com
; (1 server found)
;; global options: +cmd
; Transfer failed.
  • However, the UCS Backup and Slave servers accept the transfer:
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> axfr @x.x.x.242 domain.com
; (1 server found)
;; global options: +cmd
...
...
;; Query time: 7 msec
;; SERVER: x.x.x.242#53(x.x.x.242) (TCP)
;; WHEN: Mon Nov 25 14:41:52 CET 2024
;; XFR size: 46 records (messages 1, bytes 2099)

Investigation

The domain setup in this scenario is as follows:

  • 1 Primary server
  • 1 Backup server
  • 1 Slave server

:bulb: By default, all three servers have their dns/allow/transfer variable set to any, and it is the administrator’s responsibility to change this value to secure the system.

In this scenario:

  • Samba4 is installed only on the primary server.
  • Univention automatically detects this and executes the script /usr/lib/univention-install/98univention-samba4-dns.inst during the installation process.
  • This script updates the value of the dns/backend variable to samba4 for the Primary server.
  • The Backup and Slave servers retain the default dns/backend value of ldap, as Samba4 is not installed on them.

A bug comes into play here: When Samba4 is installed on a Univention server, DNS zone transfers fail due to a configuration issue in Samba (not respecting the dns/allow/transfer). This causes the dig command to return inconsistent results, even though the dns/allow/transfer variable is set to any on all three servers.

Solution

Step 1: Update the dns/allow/transfer Variable

Ensure the dns/allow/transfer variable is set to restrict access to authorized networks on all servers:

ucr set dns/allow/transfer='10.101.4.*,10.101.5.*'

Replace 10.101.4.* and 10.101.5.* with the appropriate network ranges you want to authorize (e.g., 127.0.0.1 for localhost-only access).

Step 2: Adjust the Samba4 Configuration

On the servers that have Samba4 installed, configure to allow zone transfers for the specified networks:

ucr set 'samba/global/options/dns zone transfer clients allow'='10.101.4.*,10.101.5.*'

Again, replace 10.101.4.* and 10.101.5.* with your desired network ranges.

Step 3: Restart the DNS Service

After making these changes, restart the DNS service to apply the configuration:

/etc/init.d/bind9 restart

Step 4: Validate the Fix

Test the DNS zone transfer command (dig axfr) from an unauthorized IP address to ensure the transfer is correctly refused. Confirm that the command only succeeds from the configured authorized networks.

1 Like
3

This topic was automatically closed after 24 hours. New replies are no longer allowed.