Zoning Out: An Introduction to DNS Zone Transfers

Estimated difficulty:  💜💜🤍🤍🤍

DNS (Domain Name System) zone transfers are used to help replicate databases across different domain servers, allowing administrators to modify or edit records easily by implementing the changes on one server and copying the changes to the others.

Zone transfers are completed using the AXFR protocol, and are usually only authorised to transfer between specified servers. However, if the server is insecurely configured, attackers can also abuse the ability to zone transfer to reveal information about hosts or DNS properties on a server.

What is DNS?

Dubbed the “phonebook of the internet”, DNS is primarily responsible for translating domain names to IP addresses so that local browsers can access internet resources (such as websites and applications). Whilst humans access resources by using domain names (such as google.com), web browsers typically interact through IP addresses (using either IPv4 or IPv6).

Source: Woodpecker

DNS removes the need for humans to memorise the IP addresses of various resources, could you imagine trying to memorise an address such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334?!

If you want to learn more about DNS, Cloudflare have written an excellent article here. Although you may also end up seeing a DNS blog soon on Security Queens, so watch this space!

DNS Zones

Each DNS server is broken up into different zones. A zone is essentially a portion of DNS namespace that is managed separately to another portion (zone). Each zone allows for more definitive control for server administrators, and is usually managed by a specific organisation or person. Creating zones helps implement boundaries of management between different portions of an entire domain, DNS zones may consist of one domain, multiple domains or even sub-domains.

DNS Zone Infographic
Modified From: NS1.

Let’s Zone Transfer!

There are multiple tools that can be used to carry out zone transfers, in this blog we will be covering both dig and host. We will also be using DigiNinja’s ZoneTransfer.me – a domain that has been created to practice zone transfers.

Using Dig

To successfully complete a zone transfer, first we need to identify the domain’s nameserver.

We can do this using dig

dig ns <domain>

For example:

dig ns zonetransfer.me

You should received an output like below, with an answer including the nameserver(s)

; <<>> DiG 9.16.15-Debian <<>> ns zonetransfer.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17072
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4000
;; QUESTION SECTION:
;zonetransfer.me. IN NS

;; ANSWER SECTION:
zonetransfer.me. 5 IN NS nsztm1.digi.ninja.
zonetransfer.me. 5 IN NS nsztm2.digi.ninja.

;; ADDITIONAL SECTION:
nsztm1.digi.ninja. 5 IN A 81.4.108.41

;; Query time: 196 msec
;; SERVER: 192.168.244.2#53(192.168.244.2)
;; WHEN: Wed Mar 02 15:01:40 GMT 2022
;; MSG SIZE rcvd: 112

Now that we know the nameserver, we can use dig to complete a zone transfer…

dig axfr <domain> @<nameserver>

For example:

dig axfr zonetransfer.me @nsztm1.digi.ninja

The output from a zone transfer can reveal a lot of information, here’s a snippet from zonetransfer.me

Using Host

Another tool that can be used for zone transfers is host

host -l <domain> <nameserver>

For example:

host -l zonetransfer.me nsztm1.digi.ninj

The -l flag is used to list all the hosts in a domain using an AXFR zone transfer, and will produce a similar output to dig!

The (Real) Purpose of Zone Transfers

Although zone transfers can be abused by attackers, they have a genuine purpose in DNS administration and management.

DNS is considered a critical service, if a server is “down” or information has expired – the entire domain could be affected and inaccessible to users and services. Due to this, each DNS zone should have at least two servers.

Zones may require regular updates and changes, and domains could be made up of multiple DNS servers. If an administrator was to change the data on each server manually, this could be incredibly time consuming and there is a chance for human error.

Having the ability to zone transfer allows an administrator to modify the changes on a single server, and copy the changes across all the other servers within a domain.

This takes less time, and eliminates the risk of mistakes when manually copying information.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.