Digging DNS with a Zone Transfer

A zone transfer that from an external IP address is used as part of an attackers reconnaissance phase. Usually a zone transfer is a normal operation between primary and secondary DNS servers in order to synchronise the records for a domain. This is typically not something you want to be externally accessible. If an attacker can gather all your DNS records, they can use those to select targets for exploitation.

Whether an attacker or penetration tester; they will attempt to map the footprint of the organization in order to find areas of weakness to exploit. Usually the information collected is host names, IP addresses and IP network blocks that are related to the targeted organization. A successful zone transfer will make this mapping much easier.

Enter the target domain such as example.com . The dig DNS tool that is available on *nix based platforms will then be used to enumerate all the authority Name Servers for the domain. Each Name Server will then be checked remotely for a zone transfer of the target domain. It is often the case that even though the primary name server blocks zone transfers, a secondary or tertiary system may not be configured to block these - hence the check of each name server.

The dig command will be executed as follows to attempt the zone transfer.

dig axfr example.com @ns1.example.com
dig axfr example.com @ns2.example.com

For more information or for a valid transfer mechanism to test head over to the site zonetransfer.me, DigiNinja a well known security researcher has made the domain zonetransfer.me available for testing and learning, so you can test the online zone transfer tool with the deliberately configured zone transfer capable domain.