What is Misconfigured DNS - Zone Transfer Vulnerability?

According to US-CERT, misconfigured DNS servers may be leaking information about domains’ internal network structure, which might be beneficial for other targeted attacks.

Unauthenticated remote users can request a DNS zone transfer from a public-facing DNS server. If the DNS server is incorrectly configured, it may respond with information about the requested zone, disclosing internal network structure and possibly sensitive information.

AXFR is a protocol for “zone transfers” for DNS data replication over different DNS servers, according to US-CERT. AXFR inquiries expose subdomain names, as opposed to standard DNS queries, which need the user to know certain DNS information ahead of time. Because a zone transfer is a single query, an attacker might exploit it to easily retrieve DNS data.

“A well-known issue with DNS is that zone transfer requests might reveal domain information,” the organization cautioned. “However, the issue has resurfaced as a result of recent Internet searches revealing a high number of misconfigured DNS servers.” There are now open-source, proven programs available to scan for potential vulnerability, increasing the risk of exploitation.”

How To Initiate a DNS Zone Transfer

To launch an AXFR zone-transfer request from a secondary server, use the dig instructions below, where zonetransfer.me is the domain for which we wish to conduct a zone transfer. First, we must obtain a list of the domain’s DNS servers:

$ dig +short ns zonetransfer.me
nsztm1.digi.ninja.
nsztm2.digi.ninja.

Now we can send an AXFR request to the main server to obtain a copy of the zone:

$ dig axfr zonetransfer.me @nsztm1.digi.ninja.
; <<>> DiG 9.8.3-P1 <<>> axfr zonetransfer.me @nsztm1.digi.ninja. 
;; global options: +cmd zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2017042001 172800 900 1209600 3600 
(...)

To avoid this issue, the DNS server should be configured to only accept zone transfers from trustworthy IP addresses. The following is an example of how to do this with the BIND DNS server.

# /etc/named.conf 
acl trusted-nameservers {
  192.168.0.10; //ns2 
  192.168.1.20; //ns3 
}; 
zone zonetransfer.me { 
  type master; 
  file "zones/zonetransfer.me"; 
  allow-transfer { trusted-nameservers; };
};

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

What is Misconfigured DNS – Zone Transfer Vulnerability?

Leave a Comment Cancel Reply

Related Posts

Leave a Comment Cancel Reply