DNS: Zone Transfers

Heavily based on: http://en.wikipedia.org/wiki/DNS_zone_transfer

DNS zone transfer, also sometimes known by its (most common) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR).

Zone transfer operates on top of the Transmission Control Protocol (TCP), and takes the form of a client-server transaction. The parties involved in a zone transfer are a client (the "secondary" requesting the data from a portion of the database to be transferred to it) and a server (the "primary" supplying those data from its database). The portion of the database that is replicated is a "zone".

The fields of this SOA resource record, in particular the "serial number", determine whether the actual data transfer need occur at all. The client compares the serial number of the SOA resource record with the serial number in the last copy of that resource record that it has. If the primary's serial numbers is larger, the data in the zone are deemed to have "changed" (in some fashion) and the secondary proceeds to request the actual zone data transfer. If the serial numbers are identical, the data in the zone are deemed not to have "changed", and the client may continue to use the copy of the database that it already has, if it has one.

Serial number changes

The preamble portion of zone transfer relies on the serial number, and only the serial number, to determine whether a zone's data have changed, and thus the actual data transfer is required. For some DNS server packages, the serial numbers of SOA resource records are maintained by administrators by hand. Every edit to the database involves making two changes, one to the record being changed and the other to the zone serial number.

Security

DNS zone transfers have several potential security issues, though they are easily rectified by proper configuration of the DNS software. The data contained in an entire DNS zone may be sensitive in nature. Individually, DNS records are not sensitive, but if a malicious entity obtains a copy of the entire DNS zone for a domain, they may have a complete listing of all hosts in that domain. That makes the job of a computer hacker much easier. A computer hacker needs no special tools or access to obtain a complete DNS zone if the name server is promiscuous and allows anyone to do a zone transfer.

Of course DNS zone transfers are a necessary and critical aspect of how DNS works, and can not be turned off completely. But DNS zone transfers should only be allowed between DNS servers and clients that actually need it. Typically, only inter-dependent DNS servers will need to do zone transfers. An additional layer of protection with zone transfers can be obtained by implementing DNS keys and even encrypted DNS payloads.

If a malicious entity is able to perform a DNS zone transfer they can launch a Denial of Service attack against that zone's DNS servers by bogging them down with many multiple requests. However, this is largely fixed by limiting access to do DNS zone transfers and using encryption.

In Infoblox, the permitted list of hosts is set in the trusted_axfr Named ACL.