{ "id": "582c6292-667d-47fc-8f46-0de4db5c96ff", "created_at": "2026-04-06T00:18:07.723101Z", "updated_at": "2026-04-10T03:23:52.118443Z", "deleted_at": null, "sha1_hash": "8abe4bc77c7801674b445dd5bfb3ee4b41e745ca", "title": "SecurityTrails | Wrong Bind Configuration Exposes the Complete List of Russian TLD's to the Internet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54795, "plain_text": "SecurityTrails | Wrong Bind Configuration Exposes the Complete\r\nList of Russian TLD's to the Internet\r\nArchived: 2026-04-05 20:49:13 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds\r\ndomains government security\r\nSecurityTrails Blog · Mar 14 · SecurityTrails team\r\nDNS is one of the most important services of the net — it’s the heart and soul of the Internet as we know it. And\r\nwhen DNS servers are not well configured, they can easily be exploited to gain important information about their\r\nDNS zones and records.\r\nOne of the most common misconfigurations that can be found on DNS servers is to have DNS zone transfers\r\nenabled.\r\nBy running an AXFR DNS query, you can run a full DNS transaction, that will eventually allow you to get and\r\nreplicate DNS zones across servers.\r\nApparently, thanks to a bad DNS server configuration on Bind, the global zone transfers were enabled by default\r\non a few Russian DNS nameservers.\r\nAround June 6, 2017, due to a DNS misconfiguration some DNS servers were allowed to transfer zones without\r\nrestrictions (AXFR). This lead to the full list of Russian TLD zones like .ru, .su, .tatar, and .рф to be exposed.\r\nAt that time, the AXFR request could be made using the following DNS servers:\r\na.dns.ripn.net\r\nb.dns.ripn.net\r\nd.dns.ripn.net\r\nThe folks at the TLDR project noticed this fast enough to capture the complete list of all domains registered under\r\nRussian TLD space.\r\nAt that time, in order to get the full list of domain names you just only had to run this command:\r\ndig axfr su. @a.dns.ripn.net\r\nOn June 19, 2017, the AXFR was disabled for these DNS servers, and since then it’s no longer working:\r\n[webtech@localhost ~]$ **dig axfr su. @a.dns.ripn.net**; \u003c\u003c\u003e\u003e DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc26 \u003c\u003c\u003e\u003e axfr s\r\nhttps://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds\r\nPage 1 of 2\n\nBut this misconfiguration was live long enough for some people to get the full domain names information and\r\nspread it over the network, exposing 5.1% of all domain names on the internet.\r\n@mandatoryprogrammer, for example, managed to get this full list of 5,788,031 domain names, which was later\r\nuploaded to GitHub. These are the stats he got from this leak:\r\nSummary of Domain Names Leaked\r\n.ru (Russia ccTLD): 5,214,868 domains\r\n.su (Soviet Union ccTLD): 104,591 domains\r\n.tatar (gTLD): 861 domains\r\n.рф (IDN ccTLD): 466,890 domains\r\n.дети (gTLD): 821 domains\r\nLinks to the leaked domain lists:\r\n.ru: Zone data: Download here\r\n.su: Zone data: Download here\r\n.tatar: Zone data: Download here\r\n.рф: Zone data: Download here\r\n.дети: Zone data: Download here\r\nJust as with the Russia DNS leak, having the right DNS toolkit in your hands can enable you to audit possible\r\nsecurity holes on 3rd party networks, defend against bad guys on your own servers, or apply for a cool data\r\nbounty program like the one we have at SecurityTrails.\r\nIt doesn’t matter the type of agency or company you work for, whether it is private or public, when you need to\r\ninvestigate domain names, DNS servers, as well as IP addresses, you can always count on the powerful and\r\nreliable SecurityTrails API.\r\nOpen a free account today, start using SecurityTrails, or have a look at our public free service SecurityTrails.\r\nSource: https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds\r\nhttps://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20180615055527/https://securitytrails.com/blog/russian-tlds" ], "report_names": [ "russian-tlds" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434687, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8abe4bc77c7801674b445dd5bfb3ee4b41e745ca.pdf", "text": "https://archive.orkl.eu/8abe4bc77c7801674b445dd5bfb3ee4b41e745ca.txt", "img": "https://archive.orkl.eu/8abe4bc77c7801674b445dd5bfb3ee4b41e745ca.jpg" } }