Let’s start discuss Zone Transfer Security on this post.
For those who are not familiar with DNS Zone Transfer, it is a process in which any DNS Server IP has successfully pass through a copy of their own Network Segment to another DNS Server Segment.
DNS Server Queries on certain particular zone which it was divided to Master DNS Server and Slave DNS Server.
Zone Transfer Attack
A basic attack on DNS Zone Transfer can be considered as not dangerous to some organization because the attack patterns will ask the master for any copy of DNS records from a Slave DNS Server. DNS Protocol is categorized as an old-school version of Internet Protocol which provides the victim’s name and IP address.
Even though the Zone Transfer attack can be a fancy attack but it still worth stopping the Zone Transfer attack where DNS Zone can reveal any sensitive information about your network details. An attacker can use poisoning or spoofing attack method from the copy of DNS Server data that can be redeemed as useful to them.
Tools for DNS Zone Transfer
Nmap is a common tools that been used for Penetration Testing during Information Gathering activity. An Penetration Tester can use nmap to verify DNS Zone Transfer by using the script as shown below:
The command that be used here would something like follows:
- nmap –script <dns-check-zone> <url address>
- nmap –script <dns-zone-transfer> <url address>
DNSRecon function can be used in Enumerate the DNS Server Information on the victim. The tools are been created using Python port of a Ruby Script by Carlos Perez (darkoperator). As been mention by Carlos Perez, the tools work in the process of a security assessment and network troubleshooting
DNSRecon tools can provide the following function to those are using it.
- Check all NS Record for Zone Transfer and Enumerate General DNS records for MX,SOA,NS,A,AAAA,SPF and TXT
- The tools also check for any Wildcard Resolution for any Server and Domain
- Tools also performing a PTR records lookup for a given IP Range
There is a lot of commands that be can be used for DNSRecon but I would prefer using dnsrecon -d <url> -t zonewalk
This tool is quite similar to DNSRecon which credit thanks to Filip Waeytens and tix tixxDZ
The best practice on Zone Transfer would be restricting it to the public. Besides that, a network engineer can whitelist any authorized IP address between master and slave.