Accessing DNS Information using Zone Transfer (AXFR)

This post is also available in: Türkçe

Hello, Linux Bind DNS servers have zone transfer (axfr) feature, in this article I will talk about what kind of problems the zone transfer parameter can cause if the DNS configuration is not configured correctly.

Also, in this article, I will talk about how to configure Bind DNS Server.

If the zone transfer configuration is not configured correctly, they can access the DNS records of all domain names on the DNS server by third parties, using this information, attacks can be carried out on the domain names and the servers and devices they are connected to, or even hacking them and causing the information to be leaked.

The zone transfer configuration line in an example Bind DNS server is as follows:

[important]
allow-transfer {192.168.1.0;};
[/important]

In the example here, zone transfer is allowed only to 192.168.1.0 IP address, configuring to allow IP address is usually used for slave dns servers. If a configuration like the one below was made instead of the above configuration, no client could perform zone transfer.

[important]
allow-transfer {“none”;};
[/important]

However, if the “allow-transfer” parameter is not used in the Bind DNS server configuration file, dns transfer is allowed for all clients. This means that everyone can access the DNS information of all domain names on the relevant DNS server and detect sub-domains.

We talked about the configuration on the bind side, now let’s see the difference between a server where the allow transfer parameter is used by the client and an unused server.

Server not allowed Zone Transfer:

## Using dig command, we learned the ns servers belonging to the erenturan.com.tr domain name.

[important]# dig ns erenturan.com.tr

; <<>> DiG 9.9.2-P1 <<>> ns erenturan.com.tr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2345
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;erenturan.com.tr. IN NS

;; ANSWER SECTION:
erenturan.com.tr. 17409 IN NS tr5.destekajans.com
erenturan.com.tr. 17409 IN NS tr6.destekajans.com

;; Query time: 55 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun Jul 21 01:30:54 2013
;; MSG SIZE rcvd: 82[/important]

## We check if Zone allows transfer.

[important]# dig @tr5.destekajans.com erenturan.com.tr axfr

; <<>> DiG 9.9.2-P1 <<>> @tr5.destekajans.com erenturan.com.tr axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.[/important]

As can be seen in the screen output, we received a transfer failed error. This means Zone Transfer is blocked on the DNS server used. (If the DNS server is bind, it comes as allow transfer none by default, so dns transfer is not allowed.)

Server where Zone Transfer is allowed:

In this example, we will examine the query result on a server that has allowed DNS Zone transfer.

Note: In order not to damage the domain names on the DNS server used in the example, I changed the domain name and ip addresses with different domain names and ip addresses.

[important]# dig @ns1.example.com example.com axfr

; <<>> DiG 9.9.2-P1 <<>> @ns1.example.com example.com axfr
; (1 server found)
;; global options: +cmd
example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2009051396 1800 600 86400 3600
example.com. 3600 IN A 1.1.1.201
example.com. 3600 IN NS ns1.example.com.
example.com. 3600 IN NS ns2.example.com.
example.com. 3600 IN NS nsp1.example.com.
example.com. 3600 IN NS nsp2.example.com.
example.com. 3600 IN NS ns4.example.com.
example.com. 3600 IN MX 10 mail.example.com.
example.com. 3600 IN TXT “v=spf1 mx ptr ip4:1.1.1.1 +all”
mail.example.com. 3600 IN A 1.1.1.1
ns1.example.com. 3600 IN A 1.1.1.2
ns10.example.com. 3600 IN A 213.139.193.2
ns2.example.com. 1200 IN A 1.1.1.5
ns2.example.com. 1200 IN AAAA 2002:5d5e:f903::5d5e:f903
ns20.example.com. 3600 IN A 1.1.1.5
ns4.example.com. 3600 IN A 1.1.1.22
nsp1.example.com. 3600 IN A 1.1.1.3
nsp2.example.com. 3600 IN A 123.123.123.123
webmail.example.com. 3600 IN A 1.1.1.25
wiki.example.com. 3600 IN A 1.1.1.4
wpad.example.com. 1200 IN A 127.0.0.1
www.example.com. 3600 IN A 1.1.1.201
example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2009051396 1800 600 86400 3600
;; Query time: 33 msec
;; SERVER: 1.1.1.2#53(1.1.1.2)
;; WHEN: Sun Jul 21 01:37:24 2013
;; XFR size: 23 records (messages 23, bytes 1308)[/important]

As we can see, we were able to access all dns information belonging to the domain name. We have accessed the subdomain information.

Turning off DNS transfer does not mean that domain names and subdomains cannot be detected, sub-domains can be detected with applications such as fierce, dnstalk, theharvester, but the method that will be 100% successful is the information to be obtained by DNS transfer.

Leave a Reply

Your email address will not be published. Required fields are marked *