How to test if a DNS server allows zone transfer?
In Windows
nslookup
server TARGET_DNS_SERVER_IP
set type=any
ls -d TARGET_DOMAIN
In Linux
dig @TARGET_DNS_SERVER_IP -t AXFR TARGET_DOMAIN
Many DNS servers allow root(".") zone transfer, this can lead to an amplification attack, when an attacker sends many small(17 bytes) root zone transfer requests and server replies with much bigger reply(500 bytes). More over, the possibility to transfer the root zone will result in FAIL during PCI ASV scan. We can check if it is possible manually with the following commands:
Transfer root zone in Linux
dig @DNS_SERVER_IP axfr
Transfer root zone in Windows
How can we disable root zone transfer and avoid amplification attack?
In BIND it is required to add a string to options in named.conf file:
additional-from-cache no;
This will influence the cache, so be cautious.
Solution for Windows
In Windows
nslookup
server TARGET_DNS_SERVER_IP
set type=any
ls -d TARGET_DOMAIN
In Linux
dig @TARGET_DNS_SERVER_IP -t AXFR TARGET_DOMAIN
Many DNS servers allow root(".") zone transfer, this can lead to an amplification attack, when an attacker sends many small(17 bytes) root zone transfer requests and server replies with much bigger reply(500 bytes). More over, the possibility to transfer the root zone will result in FAIL during PCI ASV scan. We can check if it is possible manually with the following commands:
Transfer root zone in Linux
dig @DNS_SERVER_IP axfr
Transfer root zone in Windows
nslookup
> server server_ip
> set q=soa
> .
How can we disable root zone transfer and avoid amplification attack?
In BIND it is required to add a string to options in named.conf file:
additional-from-cache no;
This will influence the cache, so be cautious.
Solution for Windows
