DNSSEC (Domain Name System Security Extensions) aims to enhance DNS security by ensuring the authenticity and integrity of DNS responses. However, its implementation can inadvertently allow attackers to enumerate all subdomains of a domain through a process known as "zone walking."
How Does Zone Walking Occur?
DNSSEC uses NSEC (Next Secure) records to provide authenticated denial of existence. When a DNS resolver queries for a non-existent domain, the authoritative DNS server responds with an NSEC record indicating the next existing domain name in the zone. This mechanism allows resolvers to confirm that a domain does not exist. However, it also enables attackers to sequentially query NSEC records, chaining from one to the next, thereby enumerating all domain names within the zone—a technique known as "NSEC walking" or "zone walking."
Example Scenario:
Consider a domain example.com with subdomains alpha.example.com and beta.example.com. If an attacker queries for a non-existent subdomain like gamma.example.com, the server might respond with an NSEC record indicating that no domains exist between beta.example.com and example.com. By systematically querying and analyzing these NSEC records, the attacker can enumerate all subdomains of example.com.
Mitigation Measures:
To mitigate the risk of zone walking, DNSSEC introduced NSEC3 records, which use cryptographic hashing of domain names instead of listing them in clear text. This approach makes it more challenging for attackers to enumerate subdomains, as they would need to brute-force the hashes to reveal the original domain names. However, NSEC3 is not entirely foolproof, and determined attackers with sufficient resources may still succeed in enumerating subdomains.
