Overview
DNS zone transfers can give an attacker the keys to the DNS castle so to speak. Although this vulnerability is ancient and rather rare these days it is still important to know how zone transfers work and how to prevent unauthorized transfers.
What Is A Zone Transfer?
In simplest terms a zone transfer is the processes of copying a zone file onto another DNS server. Since DNS failure can have severe consequences for an organization, there are almost always multiple name servers with an identical zone file. DNS entries are generally only modified on the primary server. The secondary servers then synchronize with this primary server. The one serving as the source for the synchronization of a zone file is called a master and the one obtaining the zone data is called a slave. The slave fetches the SOA record from the master at certain intervals and compares serial numbers, if the serial number of the master is greater than the slaves, the data no longer matches and a zone transfer is initiated.
How To Perform a Zone Transfer
The process for performing a zone transfer with dig would like:
dig ns example.com
dig axfr example.com @ns.example.comHere is an example:
Impact Of Zone Transfers
While a zone transfer may not result in immediate compromise, it does grant someone a sizeable trove of information that can be used to launch other attacks. Generally speaking companies should only expose information that is necessary to provide the service they offer anything more is just unnecessary and makes an attackers life easier.
Remediation
Only allow transfers from trusted IPs. The exact steps to do this vary from server to server but there should be a way to whitelist your secondary servers for zone transfers.