DNS Zone and How to Keep Safe From DNS Zone Transfer Attacks

Nwachukwu Ebenezer Click here to view Nwachukwu Ebenezer’s profile

Nwachukwu Ebenezer

Blockchain Technology| Web 3.0| Technical Writer

Published May 3, 2023
+ Follow

he Domain Name System, and the DNS zones that it is composed of, are not as simple as ”the internet`s phonebook” largely used definition for DNS suggests it would be.

As good as this comprehensive metaphor of a complex amount of technical processes this definition might be, it doesn`t mean it reveals all the relevant things you should know about the DNS.

So let`s take a step further in understanding how this enormous, fabulous phonebook of the internet is structured. This will lead us to better understand how DNS-related threats work and how they can be addressed, by using the proper DNS security policies and solutions.

What Is a DNS Zone?

A DNS zone is a segment of the domain namespace. It is also an administrative area that enables more precise control over the domain namespace. DNS zones contain DNS records. They can hold name and IP address details for one or more DNS domain components.

Below the DNS root domain, there is a hierarchical structure of subdomains that forms the Internet’s domain namespace. A DNS zone can start at a domain in the tree and can also widen onto subdomains allowing one entity to control many subdomains.

Every time subdomain space is registered or allocated, the registrant is required to keep up an administrative and technical infrastructure to handle zone management, including sub-delegation to lower-level domains. A DNS zone is a space that includes one or more subdomains and is designated for management.

However, you should not associate a DNS zone with a domain name or a single DNS server. This is a typical error because a DNS zone can hold several subdomains and also because several DNS zones can be located on the same server. As DNS zones are only used for control delegation they don`t have to be physically isolated from one another.

DNS Zone Types

  • Primary zone

Primary zones read zone information directly from a host file and they can include a subzone, or child zone. Additionally, resource records like host, alias (CNAME), IPv4 address (A), IPv6 address (AAAA), or reverse mapping pointer (PTR) records may be contained by a primary zone.

  • Secondary zone

Secondary zones, which are sometimes named „slave zones”, are read-only copies of the primary zone and are kept on different servers. They can only retrieve updates from the primary zone, as they cannot process updates. Their role is to simply maintain a complete copy of the zone for which they are secondaries.

  • Stub zone

Stub zones essentially transmit the name server (NS) records for those zones.

  • Forward zone

Forward zones route all requests to other servers for a specific zone.

What Is DNS Zone Transfer?

DNS zone transfer or DNS query type AXFR is a DNS transaction. During the process, a copy of a section, known as a zone, of the DNS server database is transferred to another DNS server. DNS zone transfer is one of the methods administrators use for distributing DNS databases across a group of DNS servers.

A zone transfer appears like a client-server transaction and employs the Transmission Control Protocol (TCP). It typically occurs if you set up a new DNS server as a secondary DNS server. Zone transfers are frequently used to back up DNS files or to replicate DNS data across several DNS servers.

All DNS names and IP addresses hosted by the name server will be provided in ASCII text that can be read by humans if the name server permits zone transfers to take place.

How Can a DNS Zone Transfer Attack Occur?

Threat actors can learn a lot of information about their target networks and the hosts by observing the DNS. A poorly secured DNS can reveal sensitive data, like internal addressing schemes.

When hackers succeed to perform zone transfers with the primary or secondary name servers for a domain they gain visibility to all the DNS records. This happens for the simple reason that zone transfers are employed to replicate a domain’s database from the primary server to the secondary server.

Permitting externals to execute zone transfers on one of a domain’s DNS servers is a common misconfiguration that puts sensitive data at risk. For the malicious actors, it`s like receiving a map of the network which will clearly help them when planning the attack. Once they gain all this information, they can redirect packets or even launch a man-in-the-middle attack.

It is recommended that you limit access to DNS information, so your network will be less visible to hackers and more difficult to penetrate.

How to Prevent Malicious Zone Transfer

There is no authentication required for DNS zone transfer, so the bad news is that anyone that pretends to be a client could be able to query the DNS server for a copy of a zone. There are two ways to protect against unwanted zone transfer:

  • Completly disable the zone transfer option
  • Create an exclusive list of trusted IPs that can perform a zone transfer

More articles by this author

See all

Others also viewed