DNS Zone Transfer

Introduction

A DNS zone transfer is a process in which a DNS server (usually a secondary server) requests a copy of the DNS zone data from a primary DNS server. This data includes the DNS records (such as A, MX, CNAME, etc.) for a domain. The zone transfer is intended for redundancy, allowing secondary servers to maintain up-to-date DNS records.

If misconfigured, a zone transfer can be exploited by attackers to retrieve sensitive information about all the DNS records of a domain, including subdomains and internal infrastructure details.

The Zone Transfer Vulnerability

While zone transfers are essential for legitimate DNS management, a misconfigured DNS server can transform this process into a significant security vulnerability. The core issue lies in the access controls governing who can initiate a zone transfer.

Exploitation

You can use the dig command to request a zone transfer:

dig axfr @nsztm1.digi.ninja example.com

This command instructs dig to request a full zone transfer (axfr) from the DNS server responsible for example.com.

Also, @nsztm1.digi.ninja indicates the DNS server from which you are requesting the zone transfer. It is actually a NS record.

For further methodologies: Hacktricks

Remediation

DNS servers should be configured to allow zone transfers only to trusted secondary servers, ensuring that sensitive zone data remains confidential.

PreviousDNS NextSub-Domains

Last updated 1 year ago