Zone Transfers

The DNS protocol provides a facility to transfer all domain information between servers. These zone transfers provide an approach for rapidly updating secondary and caching servers. Whereas DNS uses UDP for individual lookups, zone transfers rely on TCP. The recipient of a zone transfer receives all domain information, including hostnames, network addresses, mail exchangers, and other DNS information.

Zone transfers are designed to streamline DNS distribution. A secondary DNS server may request a zone transfer from a primary server, or the primary may push a zone transfer to a secondary. Although the secondary likely caches some DNS information that it will not use, it will not repeatedly query the primary for individual host information. The simplest zone transfer can be performed with the Unix host command (from the BIND distribution). The command host -l domain ns.domain performs a zone transfer for the domain from the primary name server ns.domain.

Attackers can use zone transfers for reconnaissance. Because a zone transfer lists all hostnames in the domain, the attacker immediately gains a list of potential targets. If a particular network address in a subnet does not exist in a domain transfer, then there is no need to scan or attempt to compromise the missing host.

The most direct method to mitigate risks from zone transfers is to disable this functionality. Although many companies disable zone transfers, a surprisingly large number of DNS servers provide this functionality. If zone transfers are required for populating secondary or caching servers, then it should be configured as a push from the primary DNS server rather than a pull request initiated by a secondary.

Other technologies, such as DNSSEC [RFC4033, 4034, 4035], define methods for cryptographically authenticating zone information. DNSSEC can also authenticate secondary and caching servers that are permitted to conduct zone transfers.