edit-icon download-icon

DNS zone transfer vulnerability

Last Updated: Nov 08, 2017

DNS zone transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. Using DNS zone transfer can prevent the primary DNS server from affecting the entire DNS service due to an unexpected failure.

Description

In general, DNS zone transfers are only used when there are subsidiary DNS servers in the network. However, many DNS servers are misconfigured to provide the details of a zone database when a client makes a request. Therefore, untrusted Internet users can also perform DNS zone transfers.

Malicious users can quickly determine all hosts in a particular zone through DNS zone transfers, collect domain information, select attack targets, find out unused IP addresses, and further bypass the network-based access control to steal information.

Fix

Note: Create a snapshot before performing the following operations.

As DNS zone transfer is commonly used, we recommend that you set strict limit on this fucntion. For example, a primary DNS server can only allow its secondary DNS servers to perform zone transfers.

Add allow-transfer in zone or options to limit the IP addresses. For example,

  • Limit the client allowed for zone transfer.

    1. allow-transfer {1.1.1.1; 2.2.2.2;}
  • Set TSIG key.

    1. allow-transfer {key "dns1-slave1"; key "dns1-slave2";}
Thank you! We've received your feedback.