A vulnerability exists when DNS servers are [mis]configured to allow for public zone transfers. A zone transfer is literally that – the transfer of an entire zone file, intended primarily for replication and availability between multiple DNS servers. A DNS zone transfer is attempted as follows:

dig axfr <domain> @<DNS server>


If I wanted to attempt a zone transfer for ‘domain.com’ from the DNS server ‘192.168.1.2’, I would issue:

root@pwn:~# dig axfr domain.com @192.168.1.2

On failure, we would receive:

; <<>> DiG 9.7.0-P1 <<>> axfr domain.com @192.168.1.2
;; global options: +cmd
; Transfer failed.

And on success..

; <<>> DiG 9.7.-P1 <<>> axfr domain.com @192.168.1.105
;; global options: +cmd
domain.com.		3600	IN	SOA	srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600
domain.com.		600	IN	A	192.168.1.102
domain.com.		600	IN	A	192.168.1.105
domain.com.		3600	IN	NS	srv1.domain.com.
domain.com.		3600	IN	NS	srv2.domain.com.
vpn.domain.com.	3600	IN	A	192.168.1.1
server.domain.com.	3600	IN	A	192.168.1.3
office.domain.com.	3600	IN	A	192.168.1.4
remote.domain.com.	3600	IN	A	192.168.1.48
support.domain.com.	3600	IN	A	192.168.1.47
ns1.domain.com.	3600	IN	A	192.168.1.41
ns2.domain.com.	3600	IN	A	192.168.1.42
ns3.domain.com.	3600	IN	A	192.168.1.34
ns4.domain.com.	3600	IN	A	192.168.1.45
au.domain.com.	3600	IN	A	192.168.1.31
us.domain.com.	3600	IN	A	192.168.1.23
uk.domain.com.	3600	IN	A	192.168.1.30
nz.domain.com.	3600	IN	A	192.168.1.29
srv1.domain.com.	3600	IN	A	192.168.1.102
srv2.domain.com.	1200	IN	A	192.168.1.105
domain.com.		3600	IN	SOA	srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600
;; Query time: 269 msec
;; SERVER: 192.168.1.105#53(192.168.1.105)
;; WHEN: Sun Aug 11 20:07:59 2013
;; XFR size: 65 records (messages 65, bytes 4501)

root@pwn:~# 

As you can see from the zone dump above, we have now enumerated every host on the network – this is an absolute treasure trove worth of information allowing an attacker to then target each and every system of interest.

If you’ve just tried a DNS zone transfer against your own domain and it’s succeeded, patch that right now! On ‘bind’ this is done by adding the ‘allow-transfer {“none”;};’ directive to the options section. For Windows, give this a go.

Bear in mind, that an attacker can still use brute force to enumerate a list of subdomains, using a tool such as ‘fierce’, however allowing unrestricted zone transfers is just asking for trouble!