What is Misconfigured DNS – Zone Transfer Vulnerability?

According to US-CERT, misconfigured DNS servers may be leaking information about domains’ internal network structure, which might be beneficial for other targeted attacks.

Unauthenticated remote users can request a DNS zone transfer from a public-facing DNS server. If the DNS server is incorrectly configured, it may respond with information about the requested zone, disclosing internal network structure and possibly sensitive information.

AXFR is a protocol for “zone transfers” for DNS data replication over different DNS servers, according to US-CERT. AXFR inquiries expose subdomain names, as opposed to standard DNS queries, which need the user to know certain DNS information ahead of time. Because a zone transfer is a single query, an attacker might exploit it to easily retrieve DNS data.

“A well-known issue with DNS is that zone transfer requests might reveal domain information,” the organization cautioned. “However, the issue has resurfaced as a result of recent Internet searches revealing a high number of misconfigured DNS servers.” There are now open-source, proven programs available to scan for potential vulnerability, increasing the risk of exploitation.”

How To Initiate a DNS Zone Transfer

To launch an AXFR zone-transfer request from a secondary server, use the dig instructions below, where zonetransfer.me is the domain for which we wish to conduct a zone transfer. First, we must obtain a list of the domain’s DNS servers:

$ dig +short ns zonetransfer.me
nsztm1.digi.ninja.
nsztm2.digi.ninja.

Now we can send an AXFR request to the main server to obtain a copy of the zone:

$ dig axfr zonetransfer.me @nsztm1.digi.ninja.
; <<>> DiG 9.8.3-P1 <<>> axfr zonetransfer.me @nsztm1.digi.ninja. 
;; global options: +cmd zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2017042001 172800 900 1209600 3600 
(...)

To avoid this issue, the DNS server should be configured to only accept zone transfers from trustworthy IP addresses. The following is an example of how to do this with the BIND DNS server.

# /etc/named.conf 
acl trusted-nameservers {
  192.168.0.10; //ns2 
  192.168.1.20; //ns3 
}; 
zone zonetransfer.me { 
  type master; 
  file "zones/zonetransfer.me"; 
  allow-transfer { trusted-nameservers; };
};

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Leave a Comment

Scroll to Top