eBook Now Available: Using Farsight Passive DNS for Incident Response - Download now!

← Farsight Blog

Zone Walking (Zone Enumeration via DNSSEC NSEC Records)



I. Introduction

An important capability of DNSSEC is the ability to authoritatively assert that a given domain name does NOT exist, as per Authenticated Denial of Existence in the DNS.

Originally this was done by leveraging NSEC records. However, as noted in section 3.4 of RFC7129:

There were two issues with NSEC (and NXT). The first is that it allows for zone walking. NSEC records point from one name to another; in our example: "example.org" points to "a.example.org", which points to "d.example.org", which points back to "example.org". So, we can reconstruct the entire "example.org" zone, thus defeating attempts to administratively block zone transfers ([RFC2065], Section 5.5).

The second issue is that when a large, delegation-centric ([RFC5155], Section 1.1) zone deploys DNSSEC, every name in the zone gets an NSEC plus RRSIG. [continues]

NSEC3 records were introduced as an alternative to NSEC records, and provide a way to (largely) mitigate this exposure.

The question we consider today is, "Do any zones still sign their zones with NSEC instead of NSEC3?"

Actually, yes, a surprisingly large number of them do.

II. Empirically Checking For NSEC Use

Beginning with the list of TLDs that's available from IANA we used a tool called ldns-walk to check for TLDs using NSEC.

Once you've installed that software, the process of using it is trivial – you merely say:

$ ldns-walk domainname

For example, if you were to walk the KY TLD (no, that's not Kentucky or Kyrgyzstan, dot KY is the Cayman Islands, you'd get output that looks like:

$ ldns-walk ky
000.ky. NS RRSIG NSEC 
100kids.ky. NS RRSIG NSEC 
100men.ky. NS RRSIG NSEC 
100women.ky. NS RRSIG NSEC 
100womencayman.ky. NS RRSIG NSEC 
1040.ky. NS RRSIG NSEC 
111.ky. NS RRSIG NSEC 
123.ky. NS RRSIG NSEC 
1fifteen.ky. NS RRSIG NSEC 
1rumpoint.ky. NS RRSIG NSEC 
1uc.ky. NS RRSIG NSEC 
200.ky. NS RRSIG NSEC 
2017oldenbergltd.ky. NS RRSIG NSEC 

If we discovered that a TLD used NSEC records, we walked the entire TLD.

TLDs which we found with more than a hundred NSEC-using domains are listed in the following table:

Table I. TLDs With One Hundred Or More NSEC-Secured Domains

 2,557,983 us
 2,118,203 co
 2,070,537 biz
   152,779 link
    76,500 click
    53,983 bg
    29,354 lk
    26,619 tn
    24,784 help
    24,768 lol
    22,988 sexy
    22,165 photo
    10,768 pics
     9,524 kg
     8,107 audio
     5,656 hosting
     5,353 ky
     3,451 mg
     2,135 game
     1,989 how
     1,766 pr
     1,373 hiphop
     1,286 br
     1,195 sl
      392 auto
      382 na
      319 lr
      [other TLDs with a 100 or fewer records omitted]

We found that to be a unexpectedly large number of domains.

III. "So Are You Suggesting That Domains Shouldn't Do DNSSEC?"

No – the exact opposite in fact. Farsight strongly believe that all domains should use DNSSEC when possible, and Farsight uses DNSSEC for its own domains and has strong support for DNSSEC in DNSDB (our flagship passive DNS product). Everyone really should have the protection that DNSSEC offers.

IV. "So If A TLD (or 2nd-Level Domain) Is Going to Use DNSSEC, Should It Be Using NSEC3 Instead of NSEC?"

Not necessarily – for example, Farsight itself uses NSEC (rather than NSEC3) to secure its domains, and yes, as a result, you can walk our domains. The company's perspective is that we've got nothing confidential in our publicly-available authoritative DNS, and so we make an informed decision to use NSEC rather than NSEC3.

You (or the TLDs you use) may feel differently – most TLDs block zone transfers, for example, and in that case it might make sense to use NSEC3 rather than NSEC to secure that TLD against being zone walked.

V. "What About Privacy? Zone Walking Feels As If It Encroaches on Domain Owner Privacy!"

Privacy is important, and something that Farsight takes very seriously. However, we agree with the fundamental conclusion quoted here – the mere ability to get a list of domain names does not compromise a domain owner's privacy.

Given the contentious European General Data Protection Regulations, and its potential for catastrophic restrictions on access to Whois information, we will refrain from comment on the remainder of the NLnet Labs' DNSSEC statement as it relates to Whois data, except to say that we believe continued access to Domain Whois and IP Whois is absolutely critical to maintaining a workable, transparent, accountable, and usable Internet.

VI. Conclusion

We hope you've found this an interesting topic to explore. If you'd like to know more about how Farsight Security's DNSDB service can help you leverage DNS data in your investigations, including DNSSEC-related DNS records, feel free to contact Farsight Security, Inc..

Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.

← Blog Home