What is it?
DNS Zone transfer is the act of requesting information from an improperly configured nameserver to acquire valuable information. Typically large organizations will have a primary nameserver and a secondary nameserver for back up. If the primary nameserver were to fail, the secondary would serve DNS requests in its place. If the nameservers are correctly configured, they will only serve requests of Zone transfer from other nameservers. These Zone Transfers are typically performed between nameservers, so they stay in sync. If an attacker can execute a Zone Transfer against an organization's nameserver, the hostnames will be revealed for all of their IP ranges.
Why is this dangerous? The information gained by performing a Zone Transfer gives an attacker a better picture of a victim organization's network. For example, a Zone Transfer could reveal assets an organization doesn't want the general public to know about, such as subdomains with unpatched servers. This bigger picture of an organization's network gives attackers the ability to plan better.
Identification/Exploitation:
For this lesson, we combined the identification and exploitation sections. We did this because the identification and exploitation of a DNS Zone use the same steps. We will cover how to exploit a DNS Zone Transfer vulnerability using Dig and NSLookup. Both tools are available natively on Linux, but the only one available natively on Windows is NSLookup. For this lesson, we will use Linux to demonstrate their usage.
The first of the two tools we will cover is NSLookup, which uses the syntax "nslookup -option target". If you wanted to specify a nameserver you would need to add it to the end of your command. This syntax for this would be "nslookup -option target nameserver". See image 1.1 for an example of us performing a basic query.
1.1
As you can see from this image, we received only one record from the query we performed. We obtain this single result because we did not specify a query type. By default, nslookup will retrieve a domain a record if no query type is specified. To specify a query type, you need to add the "-query=" option to the command. Below is a list of query types you can select.
NS: To query a given nameserver for a domains NS record
PTR: To query for a reverse lookup (PTR record) of an IP address
ANY: To query for ANY available records
AXFR: To query a given nameserver for the whole Zone file of a domain
MX: To query for a mail server (MX record) of a domain
If an attacker wants to check for and exploit a DNS Zone Transfer vulnerability, the syntax "nslookup -query=AXFR target.com nameserver" can be used. Using this command results in us receiving the entire Zone file; if we were attackers, this information could help us build a better picture of the victim organization and reveal potential actor vectors. For example, image 1.2 shows admin.cydefe.com as one of the entries. This subdomain may contain a web application that, if exploited could result in a devastating compromise. See image 1.2 for the results of our command.
1.2
If you wish to use Dig instead of NSLookup the syntax is very similar, so there isn't much of a learning curve. The syntax for Dig is "dig target type," and you can specify a nameserver to query with this tool as well. The syntax for including a specific nameserver would be "dig @nameserver target type." For example, "dig @8.8.8.8 cydefe.com MX" would be the command to specify the server of 8.8.8.8 and perform a mail exchange query against the target cydefe.com. See image 2.1 for an example of us performing a basic query.
2.1
In image 2.1, you can see we received some information regarding the IP of www.cydefe.com and information about the nameservers. If we want to perform a Zone Transfer with Dig the syntax would be "dig @nameserver target AXFR." See image 2.2 for an example of this command. For this lab, we used the command "dig @172.17.0.2 cydefe.com AXFR" the nameserver of 172.17.0.2 is used because that is the IP of our VM. Please note that your nameserver IP will be different when running the VM.
2.2
Using Dig to perform a Zone Transfer gives the same results as using NSLookup. Images 1.2 and 2.2 demonstrate you can use either tool to get the same results. The main difference between the two is the formatting of their output. When picking which of these two tools to use, it comes down to preference and availability. Now that you know how to perform a Zone Transfer get out there and HACK THE PLANET!
Mitigation:
To prevent a Zone Transfer to untrusted machines, you will want to set up your DNS servers ACL. Typically the ACL will be located in your server’s configuration file. The ACL will look like something below and note that you will want to put your nameservers IPs in the ACL, not the example below IPs.
acl trusted-servers {
10.0.0.1; // ns1
10.0.0.2; // ns2
};
After you set your ACL, you will need to edit your Zone configuration file. Edit this file and add the line "allow-transfer { trusted-servers; };" to define what ACLs you will be using. See below for a simple example of how this file would look.
zone cydefe.com {
type master; file "zones/cydefe.com";
allow-transfer { trusted-servers; };
};
Once these edits have been made, restart your server for the changes take effect.