Zone transferable DNSExit.com: probably the most in-secure DNS and hosting provider out there!

I stumbled upon DNS Exit and some of their clients a month or two back, and noticed zone transfer* worked. *This “feature” lets you grab all DNS records, most of which are normally private. It is rare these days for this trick to work and it worked not only on dnsexit.com but all of its tens of thousands of clients! Zone transfer is typically off by default and you can enable it but lock it down to another domain or IP. With this provider it is on with no option to turn it off or restrict it. The use of it is to sync DNS zones (“database”).

Why do exposed DNS records matter? Typically just the records of email settings (MX) and the main web address IP (@/www - A) are visible. Others are hidden and for good reason, they show services used internally and by certain clients. Imagine if anyone knew what the address of your VPN, webmail, document store and client extranet was? They can start attacking, looking for flaws or simply phish their way through. Zone transfer is not the only flaw at DNS Exit…

The provider offers all sorts of services: domains, DNS, hosted email, backup email and web hosting. All of which are likely in-secure going by how buggy and poorly secured their website is. Dnsexit.com is full of spelling errors, technical errors and poor implementation of TLS (SSL). Some pages accept usernames/passwords over HTTP, once logged in session tokens are passed in the clear and it accepts credit cards over HTTP if you tell it to. Their own security is shoddy hence the security of clients will likely be to. It is very likely they will be breaking PCI-DSS due to poor encryption implementations.

Just see the screenshots below:


A random technical error I stumbled upon.


Account profile page which loads as HTTP by default.


Re-login page which loads as HTTP.


HTTP shopping cart.


HTTP payment selection page.


Another random error I stumbled across.


Though the credit card screen loads as HTTPs you can request HTTP in the browser and it loads. See HTML post is HTTP.


It repeats back credit card data over HTTP.


Client webmail screen which happily opens as HTTP.


Zone transfer of a Turkish govt. client.


Zone transfer of a Indian govt. client.


Zone transfer of themselves. If they can’t even secure themselves how can they be expected to secure clients?