Matt Schmidt Education, External Penetration Test, OSINT, Problems

DNS Zone Transfers: A Classic Risk Still Overlooked

What are DNS Zone Transfers?

While DNS zone transfers may seem like a relic of the past, they remain a relevant and potentially serious vulnerability in today’s cybersecurity landscape. Although many organizations addressed this issue decades ago, misconfigurations still occur, often due to legacy systems or oversight. As headlines have repeatedly shown, even widely known best practices can take years to be universally adopted.

For those unfamiliar, a DNS zone transfer is a legitimate process in which a portion of a primary DNS server‘s data, known as a “zone,” is replicated to a secondary DNS server. This is essential for redundancy and high availability. However, problems arise when the primary server is configured to allow zone transfers to any requesting host. Attackers can leverage this misconfiguration by using popular OSINT tools to expose a wealth of internal information, such as subdomains, IP addresses, and infrastructure naming conventions. When successful, a zone transfer can give adversaries a detailed map of your network, making it far easier to plan targeted attacks. Before diving into how to protect against this risk, it’s worth asking: What exactly can a hacker do with the results of a successful zone transfer?

A simple zone transfer will display more information than one might think. Considering zone transfers can be easily executed on the command line in a matter of seconds, the information output is surprisingly abundant. Using the “dig” command, an attacker can initiate a zone transfer using a command that looks like this:

# dig +short ns <target>
# dig axfr <target> @<name server>

The AXFR in the syntax is for making an AXFR request, which is the protocol that retrieves zone information. If the DNS server being queried does not have any protective measures in place, the server will potentially respond with all of the following information

SOA (Start of Authority) record, which contains the name of the server, the name of the administrator of the zone, and the current version of the SOA record
MX record, which contains the names of mail servers responsible for handling email messages for the organization
TXT record, which can contain emails, names, phone numbers, or even the IP address of the server

The Dangers of DNS Zone Transfers

Although this collection of information may not immediately grant an attacker enough access to the internal network or sensitive data, it would be a valuable source of information for further enumerating the target. Given this information, an attacker can perform social engineering attacks against users found in the zone, password attacks against discovered emails, and further enumeration of hosts discovered through the zone transfer. Additionally, because a short request for the zone records results in such a lengthy response, repeated requests can be used to perform Denial of Server (DoS) attacks against the organization or other outside organizations. This could lead to issues with availability, liability, damage to reputation, or the server being blacklisted, causing connectivity issues for customers.

No organization wants this much information published and available to the public. From a security standpoint, an organization’s goal should be to limit information on internal systems as much as possible to the public. Fortunately, protecting DNS servers against foreign requests for zone transfers is not complicated.

Mitigation

The most effective way to mitigate unauthorized DNS zone transfers is to implement IP-based access controls at the DNS server level. By following the Principle of Least Privilege, organizations should explicitly allow zone transfers (AXFR requests) only from trusted secondary DNS servers, using a strict whitelist of authorized IP addresses. This simple configuration step significantly reduces the risk of data leakage, ensuring that unauthorized hosts cannot retrieve sensitive internal DNS information.

Additionally, DNS servers should be regularly patched to address known vulnerabilities, and routine audits should be performed to verify that zone transfer settings remain properly restricted. Combined, these practices provide a strong baseline of protection against this often-overlooked yet still relevant attack vector.