Estimated difficulty: 💜💜🤍🤍🤍
DNS (Domain Name System) zone transfers are used to help replicate databases across different domain servers, allowing administrators to modify or edit records easily by implementing the changes on one server and copying the changes to the others.
Zone transfers are completed using the AXFR protocol, and are usually only authorised to transfer between specified servers. However, if the server is insecurely configured, attackers can also abuse the ability to zone transfer to reveal information about hosts or DNS properties on a server.
What is DNS?
Dubbed the “phonebook of the internet”, DNS is primarily responsible for translating domain names to IP addresses so that local browsers can access internet resources (such as websites and applications). Whilst humans access resources by using domain names (such as google.com), web browsers typically interact through IP addresses (using either IPv4 or IPv6).
DNS removes the need for humans to memorise the IP addresses of various resources, could you imagine trying to memorise an address such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334?!
If you want to learn more about DNS, Cloudflare have written an excellent article here. Although you may also end up seeing a DNS blog soon on Security Queens, so watch this space!
Each DNS server is broken up into different zones. A zone is essentially a portion of DNS namespace that is managed separately to another portion (zone). Each zone allows for more definitive control for server administrators, and is usually managed by a specific organisation or person. Creating zones helps implement boundaries of management between different portions of an entire domain, DNS zones may consist of one domain, multiple domains or even sub-domains.
Let’s Zone Transfer!
There are multiple tools that can be used to carry out zone transfers, in this blog we will be covering both
host. We will also be using DigiNinja’s ZoneTransfer.me – a domain that has been created to practice zone transfers.
To successfully complete a zone transfer, first we need to identify the domain’s nameserver.
We can do this using
dig ns <domain>
dig ns zonetransfer.me
You should received an output like below, with an answer including the nameserver(s)
; <<>> DiG 9.16.15-Debian <<>> ns zonetransfer.me ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17072 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4000 ;; QUESTION SECTION: ;zonetransfer.me. IN NS ;; ANSWER SECTION: zonetransfer.me. 5 IN NS nsztm1.digi.ninja. zonetransfer.me. 5 IN NS nsztm2.digi.ninja. ;; ADDITIONAL SECTION: nsztm1.digi.ninja. 5 IN A 188.8.131.52 ;; Query time: 196 msec ;; SERVER: 192.168.244.2#53(192.168.244.2) ;; WHEN: Wed Mar 02 15:01:40 GMT 2022 ;; MSG SIZE rcvd: 112
Now that we know the nameserver, we can use
dig to complete a zone transfer…
dig axfr <domain> @<nameserver>
dig axfr zonetransfer.me @nsztm1.digi.ninja
The output from a zone transfer can reveal a lot of information, here’s a snippet from
Another tool that can be used for zone transfers is
host -l <domain> <nameserver>
host -l zonetransfer.me nsztm1.digi.ninj
-l flag is used to list all the hosts in a domain using an AXFR zone transfer, and will produce a similar output to
The (Real) Purpose of Zone Transfers
Although zone transfers can be abused by attackers, they have a genuine purpose in DNS administration and management.
DNS is considered a critical service, if a server is “down” or information has expired – the entire domain could be affected and inaccessible to users and services. Due to this, each DNS zone should have at least two servers.
Zones may require regular updates and changes, and domains could be made up of multiple DNS servers. If an administrator was to change the data on each server manually, this could be incredibly time consuming and there is a chance for human error.
Having the ability to zone transfer allows an administrator to modify the changes on a single server, and copy the changes across all the other servers within a domain.
This takes less time, and eliminates the risk of mistakes when manually copying information.