Check Your DNS Zone Transfer Status

The DNS service is a very low maintenance service. It is configured very easily, and runs with nearly no intervention. This is especially true for Windows DNS Servers. The downside of such ease of use means that the DNS server is often forgotten by the admins, and DNS security can be lacking.

The easiest attack that can be performed on a DNS server is a Zone Transfer. The Zone Transfer, also known as AXFR, is the method by which a primary and secondary DNS servers share updates about the domains for which they are authoritative.

The zone transfer being a standard DNS service function, can be requested by any system communicating via the DNS protocol. This includes the nslookup and dig programs, existent on every PC regardless of OS.

A standard security measure is to configure the DNS servers to refuse zone transfer requests except from specified IP addresses (usually the secondary DNS servers).

Here are the risks of not implementing Zone Transfer

Data Exposure

Even if querying individual DNS records is fully legal and required, if an attacker obtains a copy of the entire DNS zone for a domain, they will have a complete listing of all registered hosts in that domain. This would enable the attacker to easily identify the possible target machines and their IP addresses.

Denial of service

Unlike standard DNS queries, which are transported via UDP packets, the Zone Transfer requires a TCP connection. The TCP connection puts a much higher load on the server then an UDP request.
An attacker can craft a program that will perform multiple simultaneous Zone Transfer requests from a DNS server, thus making them slow and unresponsive. The primary effect of this attack is to disable normal requests and block regular users from resolving the required hostnames.

How to check
It is very easy to check whether your DNS server allows Zone Transfers. Start a command line, and run the program nslookup. On the nslookup prompt, type ls -d (replace with the name of your domain).
  • If you get a response like Query refused or Can't list domain you are ok.
  • If you instead get a list of hostnames, take measures to limit the Zone Transfers immediately.

Related posts
DHCP Security - The most overlooked service on the network
Why don't you like my network?

Talkback and comments are most welcome

No comments:

Designed by Posicionamiento Web