Why do exposed DNS records matter? Typically just the records of email settings (MX) and the main web address IP (@/www - A) are visible. Others are hidden and for good reason, they show services used internally and by certain clients. Imagine if anyone knew what the address of your VPN, webmail, document store and client extranet was? They can start attacking, looking for flaws or simply phish their way through. Zone transfer is not the only flaw at DNS Exit…
The provider offers all sorts of services: domains, DNS, hosted email, backup email and web hosting. All of which are likely in-secure going by how buggy and poorly secured their website is. Dnsexit.com is full of spelling errors, technical errors and poor implementation of TLS (SSL). Some pages accept usernames/passwords over HTTP, once logged in session tokens are passed in the clear and it accepts credit cards over HTTP if you tell it to. Their own security is shoddy hence the security of clients will likely be to. It is very likely they will be breaking PCI-DSS due to poor encryption implementations.
Just see the screenshots below:
A random technical error I stumbled upon.
Account profile page which loads as HTTP by default.
Re-login page which loads as HTTP.
HTTP shopping cart.
HTTP payment selection page.
Another random error I stumbled across.
Though the credit card screen loads as HTTPs you can request HTTP in the browser and it loads. See HTML post is HTTP.
It repeats back credit card data over HTTP.
Client webmail screen which happily opens as HTTP.
Zone transfer of a Turkish govt. client.
Zone transfer of a Indian govt. client.
Zone transfer of themselves. If they can’t even secure themselves how can they be expected to secure clients?