it's not the nameserver. It's the domain "cyberia.net.sa" that has
"localhost" in it pointing go 127.0.0.1

This is useless. The localhost hostname should not exist in domains other
than "localhost." that should be configured on recursive servers.
simply remove the "localhost" record from cyberia.net.sa and possibly other
domains.

Complete scam, ignore.

Just check the “securityfocus” link, it’s fake too.

Jukka

LÀhettÀjÀ: bind-users <bind-users-***@lists.isc.org> Puolesta Ejaz Ahmed
LÀhetetty: 5. kesÀkuuta 2020 10:55
Vastaanottaja: bind-***@lists.isc.org
Aihe: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/



Some one is is claiming that our name server 212.118.64.2 is vulnerable with below information is this true

Any suggestions would be appreciated

Thanks a n advance

Ejaz



Dear CYBERIA GROUP Security Team ,

I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability on your website that is DNS Misconfiguration .

Your localhost.cyberia.net.sa<http://localhost.cyberia.net.sa> has address 127.0.0.1 and this may lead to "Same- Site" Scripting. I can also ping the localhost network.


Here is detailed description of this minor security issue : http://www.securityfocus.com/archive/1/486606/30/0/threaded<https://hackerone.com/redirect?signature=f22656dd5afea782410979cdd3fbb951f819c82e&url=http%3A%2F%2Fwww.securityfocus.com%2Farchive%2F1%2F486606%2F30%2F0%2Fthreaded>

Find attached POC Video.

Dear Team Waiting for your response and I want bounty(money) with an Appreciation letter for my work and effort which I have given for


Thanks in advance
Ejaz

The localhost.<foo> is not scam, but the

„I found this on HackerOne and I now want money“ is scam.

Remove the localhost entry from the zone, but you should not pay money
for issues that can be produced by automated scanners.

HackerOne is doing everyone disfavor by paying nonsensical amounts of
money[*] for small issues like this. They (and other wealthy companies)
should be paying money only for original security research and not this
nonsense.

* $100 is a helluva money in some economies...

Ondrej
--
Ondřej SurÃœ

Thx for the info, had missed this one and actually we have that minor misconfiguration too. Have had since 1995 when started our nameservers and never noticed...

Jukka

-----Alkuperäinen viesti-----
Lähettäjä: Ondřej Surý <***@isc.org>
Lähetetty: 5. kesäkuuta 2020 11:53
Vastaanottaja: Jukka Pakkanen <***@qnet.fi>
Kopio: Ejaz Ahmed <***@cyberia.net.sa>; bind-***@lists.isc.org
Aihe: Re: DNS Misconfiguration on- http://cyberia.net.sa/

The localhost.<foo> is not scam, but the

„I found this on HackerOne and I now want money“ is scam.

Remove the localhost entry from the zone, but you should not pay money for issues that can be produced by automated scanners.

HackerOne is doing everyone disfavor by paying nonsensical amounts of money[*] for small issues like this. They (and other wealthy companies) should be paying money only for original security research and not this nonsense.

* $100 is a helluva money in some economies...

Ondrej
--
Ondřej Surý

Yes, it used to be recommended -
https://tools.ietf.org/html/rfc1537#section-10

But not any more, because -
https://seclists.org/bugtraq/2008/Jan/270

I also only found out about this recently(ish) -
https://www.dns.cam.ac.uk/news/2017-09-01-localhost.html

Tony.

Yes but I think the rfc1537 refers, and the recommendation always was "localhost." hostname, which refers to name "localhost", not "localhost.domain". Then I guess, this was already wrong in the O'Reilly "DNS and BIND" book (have to check that), which I remember using as a guideline to set up our first domains/zones. And from that, the setting was copied later on to all new domains too.

Jukka

-----Alkuperäinen viesti-----
Lähettäjä: Tony Finch <***@dotat.at>
Lähetetty: 5. kesäkuuta 2020 16:09
Vastaanottaja: Jukka Pakkanen <***@qnet.fi>
Kopio: Ondřej Surý <***@isc.org>; bind-***@lists.isc.org
Aihe: Re: VS: DNS Misconfiguration on- http://cyberia.net.sa/
Yes, it used to be recommended -
https://tools.ietf.org/html/rfc1537#section-10

But not any more, because -
https://seclists.org/bugtraq/2008/Jan/270

I also only found out about this recently(ish) - https://www.dns.cam.ac.uk/news/2017-09-01-localhost.html

Tony.
--
f.anthony.n.finch <***@dotat.at> http://dotat.at/ Tyne, Dogger: Northwest 5 or 6, backing southwest 6 to gale 8, then becoming cyclonic 5 to 7 later. Slight or moderate, becoming rough for a time. Rain or thundery showers. Good, occasionally poor.

Hrmmm... I'm reminded of something else I've seen reported on recently...
I don't know if you've been paying attention, but it's been reported that
among others EBay has been port scanning visitor's devices [0]. Having
localhost.ebay.com could be handy for them in terms of circumventing some
rules on setting of cookies and the execution of scripts. Not saying
that's what they're doing, heaven forbid.

Any domain you visit could have entries in it which point to e.g.
localhost or nonrouting addresses commonly used for gateways, things like
that.

This is not a DNS problem, it's a problem in what commonly used programs
aid and abet in the name of "freedom of commerce" or something.

--

Fred Morris

--

[0]
https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

It's possible to block with rpz & something else that I can't recall
right now. I did RPZ blocking first, so I didn't bother changing

; return NXDOMAIN for any 127.0.0.0/8 answers
; exceptions:
onea.net-snmp.org CNAME rpz-passthru.
twoa.net-snmp.org CNAME rpz-passthru.
localhost CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3

All my other host names that used to return 127.0.0.1 answers don't
any more :( Anyone know some valid names I can use for testing?

Lee

Wholeheartedly agreed. Not to mention that it's extremely rude to demand
fame/money like that. These are not security researchers, they're skids.

(Please disregard the previous email, pressed the wrong reply button and
realized it too late..)

If it makes you feel better, it wasn't an error in 1995.

I remember removing the last of the localhost pointers in my dns setup less than 20 years ago. Perhaps a lot less? More than 8 years ago for sure.

I do not remember why it was recommended in the first place for sure, but I think it was to reduce load on the DNS, nor why it stopped being recommended, probably some attack vector?

I'm not so sure, the written English is poor and can be misinterpreted.
The sec focus link is crafted peculiarly but it's not a hustle in and of
itself, it's sharing the problem description after all.

I think given the misconfiguration *has* gone unnoticed and potentially
could be of trouble 'in the future' a thank you, acknowledgement and
small compensation would actually be the decent thing to do.

Just my 2c as an active participant in the security community.

Dear Valued Customer,


Thank you for your inquiry. Please let us know how we may assist you.


If you have a Renter’s policy, you can manage your policy online 24/7 at: https://www.myassurantpolicy.com/

You have access to a range of service options including:

*
View/update policy information
*
Manage your payments
*
Obtain proof of insurance
*
And much more



Thank you for allowing us the opportunity to serve you.


Sincerely,

Insurance Services

Assurant - Global Specialty Operations




------------------- Original Message -------------------
From: Fred Morris
Received: Fri Jun 05 2020 12:17:17 GMT-0400 (Eastern Daylight Time)
To: Bhangui, Sandeep - BLS CTR via bind-users
Subject: Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

Hrmmm... I'm reminded of something else I've seen reported on recently...
I don't know if you've been paying attention, but it's been reported that
among others EBay has been port scanning visitor's devices [0]. Having
localhost.ebay.com could be handy for them in terms of circumventing some
rules on setting of cookies and the execution of scripts. Not saying
that's what they're doing, heaven forbid.

Any domain you visit could have entries in it which point to e.g.
localhost or nonrouting addresses commonly used for gateways, things like
that.

This is not a DNS problem, it's a problem in what commonly used programs
aid and abet in the name of "freedom of commerce" or something.

--

Fred Morris

--

[0]
https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

**********************************************************************
This e-mail message and all attachments transmitted with it may contain legally privileged and/or confidential information intended solely for the use of the addressee(s). If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, forwarding or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete this message and all copies and backups thereof. Thank you.