A vulnerability exists when DNS servers are [mis]configured to allow for public zone transfers. A zone transfer is literally that – the transfer of an entire zone file, intended primarily for replication and availability between multiple DNS servers. A DNS zone transfer is attempted as follows:

dig axfr <domain> @<DNS server>

If I wanted to attempt a zone transfer for ‘domain.com’ from the DNS server ‘’, I would issue:

root@pwn:~# dig axfr domain.com @

On failure, we would receive:

; <<>> DiG 9.7.0-P1 <<>> axfr domain.com @
;; global options: +cmd
; Transfer failed.

And on success..

; <<>> DiG 9.7.-P1 <<>> axfr domain.com @
;; global options: +cmd
domain.com.		3600	IN	SOA	srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600
domain.com.		600	IN	A
domain.com.		600	IN	A
domain.com.		3600	IN	NS	srv1.domain.com.
domain.com.		3600	IN	NS	srv2.domain.com.
vpn.domain.com.	3600	IN	A
server.domain.com.	3600	IN	A
office.domain.com.	3600	IN	A
remote.domain.com.	3600	IN	A
support.domain.com.	3600	IN	A
ns1.domain.com.	3600	IN	A
ns2.domain.com.	3600	IN	A
ns3.domain.com.	3600	IN	A
ns4.domain.com.	3600	IN	A
au.domain.com.	3600	IN	A
us.domain.com.	3600	IN	A
uk.domain.com.	3600	IN	A
nz.domain.com.	3600	IN	A
srv1.domain.com.	3600	IN	A
srv2.domain.com.	1200	IN	A
domain.com.		3600	IN	SOA	srv1.domain.com. hostsrv1.domain.com. 131 900 600 86400 3600
;; Query time: 269 msec
;; WHEN: Sun Aug 11 20:07:59 2013
;; XFR size: 65 records (messages 65, bytes 4501)


As you can see from the zone dump above, we have now enumerated every host on the network – this is an absolute treasure trove worth of information allowing an attacker to then target each and every system of interest.

If you’ve just tried a DNS zone transfer against your own domain and it’s succeeded, patch that right now! On ‘bind’ this is done by adding the ‘allow-transfer {“none”;};’ directive to the options section. For Windows, give this a go.

Bear in mind, that an attacker can still use brute force to enumerate a list of subdomains, using a tool such as ‘fierce’, however allowing unrestricted zone transfers is just asking for trouble!