August 17, 2017

Doctor Web already published an article on how incorrect DNS server settings, combined with other factors, can be one possible reason websites get compromised. Research conducted by our analysts showed that such problems are a pertinent concern for many Russian financial organizations and some governmental organizations.

The Domain Name System (DNS) allows information about domains to be obtained and provides for web addressing. Client software, browsers in particular, use DNS to determine the IP address of a web resource according to the input URL. Usually, domain owners themselves administer DNS servers.

Many web resources use several additional third-level and even fourth-level domains besides the main second-level domain. For example, the drweb.com domain uses the vms.drweb.ru subdomains. They contain a website that allows users to check a link or a file or to find a virus description. The domain free.drweb.ru is for the webpage of Dr.Web CureIt!; updates.drweb.com is for the Dr.Web update system page, etc. Various technical and support services are usually implemented with the use of such domains. Such services include a website administration and management system, online banking systems, mail server web interfaces and all kinds of internal websites for company staff. Subdomains can also be used to organize version control systems, bug trackers, various monitoring services, wiki resources and other needs.

When attacking websites for the purpose of compromising them, cybercriminals first collect information about the web resources they are targeting. In particular, they attempt to determine the type and version of the web server maintaining a website. They also try to identify the content management system version, the engine programming language and other technical information, including the list of subdomains of the attacked website’s main domain. Using this list, cybercriminals can try to get into the web resource’s infrastructure via a “back door” by generating account data and successfully logging into one of the internal private services. Many system administrators do not pay due attention to the security of such resources. Meanwhile, such “internal” websites may use outdated software containing known vulnerabilities, contain debugging information, or allow open registration. All that can significantly simplify the work of cybercriminals.

If the DNS servers maintaining a website are configured correctly, cybercriminals will not be able to obtain the domain zone information they request. However, if DNS server settings are incorrect, a special AXFR request allows cybercriminals to obtain full data on the subdomains registered in the domain zone. Having incorrect DNS server settings is not in itself a vulnerability, however, they can be the indirect cause of a web resource becoming compromised.

Doctor Web security analysts conducted research on the DNS server configurations of numerous Russian banks and governmental organizations. They found that 89 of the roughly 1,000 Russian bank domains they checked gave out the domain zone in response to external AXFR requests. This information was sent to the Bank of Russia’s Financial Sector Computer Emergency Response Team (FinCERT). In addition, incorrect settings were detected on the websites of several governmental organizations. Doctor Web reminds website administrators that correct DNS configuration is one factor contributing to web resource security.