What is a DNS zone transfer attack?
Actually, DNS zone transfer is also known as AXFR or DNS query which refers to DNS transaction. It is the most available technique to replicate the DNS database and transfer traffic by replicating the DNS server. This method uses the AXFR protocol to perform actions. By using the vulnerability a hacker can get all host information of your DNS server. As the DNS is referred to as an internet phone book there is always risk behind the DNS zone transfer vulnerability. If a hacker is able to get access to your server (DNS) control then he can listen to all the traffic and sniff and then may redirect all the server traffic. DNS zone transfer also is known as DNS hijacking or Zone Transfer Attack.
Today I will write about the process of Zone Transfer Attack vulnerability and how hackers perform the attack on a DNS.
DNS zone transfer
Tools to be used for testing DNS zone transfer attack vulnerability
- Kali Linux OS, ultratools.com, monitis.com & hackertarget.com, fierce tool. Actually, DNS Zone transfer attack works by NS lookup and DNS brute force technique.
Knowledge requires to understand the zone transfer attack testing.
- Basic command-line knowledge of Linux platform
- Command parameters
- MX record
- Name Server
- ICMP
- TTL
What else you need to know
** From a security perspective anyone may use a firewall. So if you send ICMP traffics that may be blocked by the firewall. Because firewall blocks ICMP traffic in the general sense. So it is your main duty to what kind of security structure internally they are using by applying some techniques. Such as you can send an ICMP request then if it blocks you can understand they are using a firewall. There are some other techniques to understand what kind of firewall or which brand firewall they are using for the protection. You can use the windows command line to test the ICMP request. Like widows -> run -> cmd ->Enter. Then type ping 100.100.100.100 (IP address). If you do not get any ping then they are using a firewall for security. That does not ensure DNS Zone Transfer attack not possible.
Another way is to use the tracert command. widows -> run -> cmd ->Enter. Then type tracert domain name. If you do not get any ping then they are using a firewall for security. That also does not ensure DNS Zone Transfer attack not possible. But if you get the TTL value 64 then possibly that is a router replying. Most of the time last possible IP is the router. If the TTL value is 247 then that is a CISCO router.
Sometimes a router has a webpage. You try using HTTP:// or HTTPS:// then the IP. If you get the webpage then you can get the router information which will make your way one step ahead. Another way you can try using the tcptraceroutecommand. In Kali Linux, you can use tcptraceroute ip-address.
When you are connected with the Kali Linux via VMware using NAT then this will not give you the actual result. So you should connect using bridge mode if you want to use Kali Linux via VMware.
#1. We will use Kali Linux operating system to perform this task.
#2. Open terminal and (Ctrl+Alt+T) then type the following command.
#3. fierce -dns host-name.com [This will try using a brute force method to find out the vulnerabilities.]
#4. Alternatively, you can use the IP address instead of a domain name for getting the IP address then use the terminal and use the command ping hostname then you will get the IP address and finally, you can use the above command like this fierce -dns 111.111.111.111. And this will also use the brute force method.
#5. Now type the command host hostname.com in the place of hostname.com type your targeted hostname.
#6. Type command nslookup then set q = ns [For getting the name server lookup].
#7. Now enter your targeted domain name.
#8. Now, type setq =mx [For getting the MX record].
#9. Another way is you can use some online tools free of cost and some of those are very useful I observed. Like https://hackertarget.com/zone-transfer/ https://www.ultratools.com/tools/zoneFileDump http://www.geektools.com/digtool.php https://pentest-tools.com/network-vulnerability-scanning/dns-zone-transfer-check
#10. Another alternative way is using this command dig @dns1.server.com domain.com axfr.
Here I’ve attached a sample screenshot of the failure test. If you want more details about this with a full screenshot please let me know in the comment section.
DNS zone transfer
DNS Zone transfer attack or AXFR vulnerability prevention.
There is no authentication is required in AXFR, so anyone can ask a DNS server for the copy of the entire sone using any client software. This means that unless some kind of protection is introduced, an attacker can get a list of all hosts for a domain, which gives them a lot of potential attack vectors.
For the prevention of this AXFR vulnerability, the DNS server should be configured to only allow zone transfers from trusted IP addresses. The following is an example of how this can be accomplished in the BIND DNS server.
# /etc/named.conf
acl trusted-nameservers {
192.168.0.11; //ns12
192.168.1.23; //ns13
};
zone zonetransfer.me {
type master;
file "zones/zonetransfer.me";
allow-transfer { trusted-nameservers; };
};
Read also Check your website application firewall (WAF) bypass
