Tutorials

DNS Zone Transfer

A deep dive into DNS Zone Transfer (AXFR) misconfiguration, how to exploit it during penetration tests, and how to secure against it.

#dns#penetration-testing#reconnaissance#axfr#bind9

DNS Zone Transfer: A Deep Dive into a Critical Misconfiguration

Introduction

DNS (Domain Name System) plays a fundamental role in how the internet functions, translating domain names into IP addresses. However, misconfigured DNS servers can expose critical information that attackers can exploit. One such misconfiguration is DNS Zone Transfer (AXFR) leaks.

What is a DNS Zone Transfer?

A DNS Zone Transfer (AXFR) is a mechanism used by DNS servers to synchronize domain name records between primary (master) and secondary (slave) name servers.

#### How It Works (Normal Use Case)

1. The secondary DNS server requests a zone transfer from the primary DNS server 2. The primary DNS server checks if the requesting server is authorized 3. If authorized, the primary DNS server sends a full copy of the DNS zone file 4. The secondary DNS server updates its records

#### What Happens When Misconfigured?

If the primary DNS server does not restrict zone transfers, anyone on the internet can request a full zone transfer and obtain all subdomains, IP addresses, mail servers, and other DNS entries.

Why is a Successful Zone Transfer Dangerous?

  • šŸ” Reveals Internal Network Details
  • šŸ” Helps Attackers Find Hidden Subdomains
  • šŸ” Assists in Phishing Attacks
  • šŸ” Aids in Exploiting Vulnerabilities

How to Perform a DNS Zone Transfer

#### 1. Using dig

bash
dig axfr @ns1.example.com example.com

#### 2. Using host

bash
host -l example.com ns1.example.com

#### 3. Using dnsrecon

bash
dnsrecon -d example.com -t axfr

#### 4. Using fierce

bash
fierce --domain example.com --axfr

How to Protect Against Unauthorized Zone Transfers

āœ… Restrict Zone Transfers to authorized secondary DNS servers only āœ… Use Firewalls to block unauthorized AXFR requests āœ… Monitor DNS Logs for unauthorized zone transfer attempts āœ… Use Split DNS for internal and external queries

#### Configuring Bind9

bash
options {
    allow-transfer { none; };
};

Or restrict to specific servers:

bash
zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
    allow-transfer { 192.168.1.10; 192.168.1.11; };
};

Key Takeaways

  • Zone transfers should be restricted to authorized DNS servers
  • Pentesters use dig, dnsrecon, fierce, and other tools to check for vulnerabilities
  • Proper firewall rules, logging, and DNS hardening can mitigate this risk