close
close

Dnssec nsec. The map of accidental treasures for your sub -men.

Posted on by Online Niel
Dnssec nsec. The map of accidental treasures for your sub -men.

Dnssec nsec. The map of accidental treasures for your sub -men.Dnssec nsec. The map of accidental treasures for your sub -men.

Tl; dr:

  • DNSEC provides DNS, but it can unintentionally expose the domain structures by NSEC3 registrations, allowing the walking area to list the subdomains.
  • Nsec openly lists the domain name, making the light enumeration.
  • Nsec3 hashes name, which makes the list more difficult, but attackers can still crack the weak configurations.
  • Going to the area allows attackers to extract valid fields even when zone transfers (AXFR) are blocked.

Introduction

The domain name system (DNS) plays a critical role in mapping the domain names that can be read by people on the IP addresses. However, like any decentralized system, it has its vulnerabilities. The DNS (DNSSEC) security extensions have been introduced to improve the DNS security, but they have mistakenly introduced a technique known as Walking Zones, which allows attackers or researchers to list DNS recordings in a field.

This post is sinking in the way the walking area works, how it differs from the area transfers and how the risks are alleviated. We will also cover methods for cracking NSEC3 and we will highlight how some DNS providers now mitigate these risks with cryptographic signing.

What is DNS?

First of all, let’s talk about what DNS is. The domain name system (DNS) is like the telephone agenda of the Internet, converting the domain name friendly to humans (for example, `examle.com) in IP addresses that can be read by the car. This allows computers to find and communicate with each other. DNS operates through a hierarchical system of name servers, ensuring the quick and efficient resolution of the query.

So what is Dnssec?

DSSEC was designed to add cryptographic signatures to DNS records, ensuring the integrity and authenticity of data. Prevent attackers from manipulating with DNS answers or launching poisoning attacks in cache.

However, DSSEC also unintentionally exposes some information that can be used to list all the domain name in a area, a process known as Walking Zone.

What is the Dnssec area walk?

The walking area is a technique used to list all the subdomes in a DNSSEC protected area. It occurs because of the way DNSEC manages the domain name non -existent.

When a non -existent domain is made, DNSEC must provide the proof that the name does not exist. This evidence is provided using the following secure (NSEC) or NSEC3 records. These records create a way to methodically discover valid domain names in the area.

What are NSEC records?

NSEC was the first mechanism introduced by DNSSEC which proved the non -existence of a domain name. It works by connecting the records to a sorted list, explicitly stating that there are no records between a given domain and the next sequence.

While this method allows the resolutions to verify the absence of a domain, it also exposes the structure of the DNS area. By repeatedly interrogating for non -existent areas and analyzing the resulting RESPRESS, attackers can systematically list all the valid domain names in the area.

What is nsec3?

NSEC3 was introduced as an improvement to the NSEC to prevent the enumeration of the area, at the same time proving the absence of a domain name in DNSSEC. Instead of listing the domain name in simple text, NSEC3 uses cryptographic hashing to darken them, which makes attackers more difficult to provide an entire DNS area.

Although this method reduces the risk of direct enumeration, it is not entirely unregistered. Attacrators can continue to carry out offline dictionary attacks to return the common domain name, especially if weak hashing parameters are used. However, NSEC3 provides stronger protection against wide -scale enumeration compared to its predecessor.

Zone transfers vs. walk

An area transfer is when a DNS server sends a full copy of its DNS records to another server, usually for redundancy or failover. It is usually performed using AXFR (authoritarian transfer) applications.

If an attacker can request an area transfer (often due to the wrong configuration), he can obtain each domain and sub -domain from a time.

How is the area different?

  • The area transfers provide immediate and complete access to DNS records (if they are configured wrong).
  • Walking in the area is slower and requires listing one by one, but it works even if AXFR is disabled.

While most DNS providers now block unauthorized AXFR requests, the walking area remains a risk if DNSSC is inappropriately configured.

Example of walking with nsec

An attacker can use DIG to list the DNSSEC activated areas that implement NSEC by repeatedly query for non -existent subdomains and analyzing the answers.

Before you start, choose a domain / TLD that you suspect is using NSEC rather than Nsec3. For example, the upper level domain (TLD) (.cars).

Check that NSEC is activated:

DIG response with the NSEC response with the first record:

This indicates that there are no fields valid between 0.cars and 8va.cars, because the first next domain response was 8va.cars.

In order to discover the following domain, the attacker changes the domain name asked by changing the last character or systematically guessing the name to its valid domains. For example, after identifying 8VA.cars, the next logical step is to interrogate 8VB.cars to take over the next NSEC registration.

Check the following record:

The answer reveals:

This indicates that 8xbet.cars is the next valid field in the sequence. By querying for the next NSEC registration using 8xbet.cars, an attacker can progressively discover additional domain names. By systematic interrogation of non -existent areas and analyzing the NSEC responses, the attacker can gradually list all the valid domain names in the area.

Example of walking with NSEC3

Below demonstrate the reproduction of the NSEC3 enumeration process. Although the ones below focus on the enumeration of the Domains at the TLD level, these steps also work for the subdomains in an activated NSEC3 area. Simply adapt the details of the domain and sub -domain accordingly.

Confirm the area uses NSEC3

Like the example, choose an area that you suspect is using Nsec3 rather than Nsec. For example, some TLDs such as (.sh) often have Nsec3.

Check DNSSEC

Search in response to confirm that you see DNSSEC data. If you suspect and nsec3, you will often see references to NSEC3 in negative or authority responses.

Find authoritarian name servers

Each domain has at least one authoritarian name server. We want to send questions directly to the authoritarian server to ensure that we get full DNSSEC negative answers.

List the NS Records of the Domain:

That should turn something like:

Solve the IPs:

Now you have the direct IP for the authoritarian name server.

Generate a random subdomain

The idea is that we will interrogate a non-existent sub-domain (such as blabla-rand-ab.xample.tld) ​​to trigger a negative Nsec3 response.

Python can be used to generate a random Uuid:

That comes out something like:

Annex your domain:

Interrogate the random subdomain with Dnssec:

The authoritarian server should respond to something like NXDOMAIN or SERVFAIL (depending on the area policy), and in the authority section you should see lines such as:

Each NSEC3 recording defines a series of Hashed domain names, which specifies what name does not exist. The answer will include a NSEC3 recording containing a Hashed domain such as IBRTH72S0GRQJ0ig2j27bghskakrhr6uwhich represents a hay label in the denial of the area of ​​existence. Analyzing these records, an attacker can map the Hashed name space and try to reverse Hashes to discover valid domain names.

Extraction of the collected hashe

Regarding the section of the authority, we identify three NSEC3 records, each revealing a pair (hash, next-hash).

From the answer, we collected these three NSEC3 records:

Each NSEC3 record contains two Hashed domain names, so in total:

  • 3 NSEC3 × 2 Hashes per record = 6 Hashes collected.

Cracking Hashes

Extract the salt and iteration number from the previous DIG command:

In this case:

  • Algorithm: 1 (Sha-1)
  • Iteratii: 0
  • Salt: 73

Save your Hashes in a file (nsec3-zones.hashes):

Bruta-Force Hashes using Hashcat:

If it is successful, it will reveal the real domain name!

In order to obtain a wider coverage, repeat the process by generating another random sub -domain and querying it. Each query will return new NSEC3 records, revealing additional Hashed intervals in the area. Analyzing these “next” variations from the answers, make a gradual mapping in the Hashed name space. Once you have done enough iterations, you will be collected most of the possible hash segments, allowing you to take a full NSEC3 walk and discover hidden domain structures.

Final thoughts and conclusions

Addressing walking in the NSEC area involves balancing the practical needs of your organization with the available resources. If the enumeration of the domain is not a major concern, it is possible to find that the simplicity and general expenses of traditional NSEC are perfectly adequate.

However, for fields that require closer confidentiality controls, such as higher level areas or organizations that host sensitive subdomains, Nsec3 with robust hashing, proper and iterated salt parameters is a more cautious choice. Correctly configured, this approach makes it more difficult to try and help to maintain the confidentiality of internal domain structures.

For those looking for the next level of privacy, “Dnssec White Lies” (RFC 4470 and RFC 4471) is worth exploring. This technique can frustrate the listing attempts of the area, serving an artificial NSEC3 registration, preventing attackers from simply going to the area to learn its structure. That being said, this requires a generation of real -time signature on the authoritarian server, which may not be possible for all environments.

As discussed in Previous blog post about DNSIt is important to recognize that DNS has never been conceived with confidentiality in mind. This raises the question: should we give priority to good operational security (OPSEC) on obscurity security or should we use a combination of both?

In reality, the best approach is often a balance between powerful opse and limited obscurity. Hiding sensitive assets can be useful, but it should never be your main security strategy. Instead, organizations should focus on reducing the attack surface and insuring critical infrastructure

Finally, the decision to implement NSEC, NSEC3 or White Lies depends on your risk appetite, the sensitivity of your domains and above the operational you can manage. Some organizations appreciate the transparency that comes from the use of NSEC, while others give priority to the confidentiality above all. By weighing these considerations, you can adapt a DNSSEC solution that meets both your security requirements and operational capabilities.

Dnssec is a vital component of modern internet security, but, like any security measure, it requires careful implementation. The objective is not only to implement DNSSEC, but to configure it in a way that minimizes unintentional exposure, while maintaining the integrity of your field.

Tools and ties