32

Can anyone explain what is DNS zone transfer attack or give any link, paper?

I have already googled, but could not find anything meaningful.

techraf
  • 9,141
  • 11
  • 44
  • 62

2 Answers2

54

DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (which is called a "zone") to another DNS server. It's how you can have more than one DNS server able to answer queries about a particular zone; there is a Primary DNS server, and one or more Secondary DNS servers, and the secondaries ask the primary for a copy of the records for that zone.

A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you are a secondary and ask the primary for a copy of the zone records. And it sends you them; DNS is one of those really old-school Internet protocols that was designed when everyone on the Internet literally knew everyone else's name and address, and so servers trusted each other implicitly.

It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the real data very useful.

So best practice is to restrict Zone transfers. At the bare minimum, you tell the primary what the IP addresses of the secondaries are and not to transfer to anyone else. In more sophisticated set-ups, you sign the transfers. So the more sophisticated zone transfer attacks try and get round these controls.

SANS have a white paper that discusses this further.

Graham Hill
  • 15,394
  • 37
  • 62
21

@GrahamHill already explained a zone transfer pretty good already, but I'll try to fill in some more.

By being able to query for all records from the DNS server, the attacker can easily determine which machines are accessible. The zone transfer may reveal network elements that are accessible from the Internet, but that a search engine like Google (site:.target.) does not pick up. Lesson here is that you don't want to let the bad guys have the information for free! They should have to work as hard as possible for it...

An interesting fact about DNS zone transfers is that they usually rely on TCP port 53 instead of UDP port 53. If you see TCP port 53 in use, it could tell you that someone is doing a zone transfer.

To actually complete a zone transfer on a vulnerable DNS server you could issue these commands:

Windows:

nslookup
> server <DNS you are querying>
> set type=any
> ls -d <target>

Unix (nslookup is deprecated on Unix):

dig -axfr @<DNS you are querying> <target>

DigiNinja has a very good tutorial/explanation on how zone transfers work and why they should be restricted. Check out zonetransferme .

GypsyCosmonaut
  • 882
  • 1
  • 7
  • 16
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • 1
    Hmm, am I doing this wrongly? nslookup on Windows `ls -d [x].[x].[x].[x]`: *The DNS server refused to transfer the zone [x].[x].[x].[x] to your computer. If this is incorrect, check the zone transfer security settings for [x].[x].[x].[x] on the DNS server at IP address 8.8.8.8.* .... – Pacerier Feb 16 '16 at 17:06
  • 3
    @pacerier this means that zone transferring is locked down to a limited set of IP addresses, most likely DNS servers. – Chris Dale Feb 16 '16 at 17:08
  • Many DNS servers nowadays also support query over TCP on port 53 for either larger response or DNSSEC. https://serverfault.com/questions/181956/is-it-true-that-a-nameserver-have-to-answer-queries-over-tcp – Jay Aug 25 '18 at 23:52