zone tranfer?

Hey guys. I am curious if someone could explain zone transfers to me and what the purpose of being able to do one is? Also curious why this is a security risk if someone is able to do this from their workstation say while at work?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dynamik

zenlakin wrote:

Hey guys. I am curious if someone could explain zone transfers to me and what the purpose of being able to do one is? Also curious why this is a security risk if someone is able to do this from their workstation say while at work?

You'd want to transfer zones to other DNS servers for redundancy or to migrate the zone to that server.

It's a security risk because whoever gains access to zone transfer data will gain knowledge about all the devices listed in that zone. You may have some critical servers (sql, accounting data, etc.) or devices that you do not want everyone to be aware of, but you may still need to include them in DNS.

zenlakin

Ok, so for security reasons you would probably only want access to be available to those who specifically take care of DNS so that not just anyone could perform a zone transfer on any given workstation and see that data and those devices that are in DNS? Also, to follow up on that how would one perform a DNS transfer to see if it can be done from their workstation? And what would I be looking for?

gojericho0

Zone transfer is basically the replication of DNS zone of information. There are a couple reasons to do this including redundancy, scalability, and performance. The reason why you do not want someone to be running a DNS server on their PC at work is because your whole DNS structure could be poisoned if someone added\modified\deleted incorrect zone and record information. The changes to this rogue dns server would propagate (zone transfer) to other available DNS servers if no security is implemented

royal

zenlakin wrote:

how would one perform a DNS transfer to see if it can be done from their workstation? And what would I be looking for?

nslookup and then using the ls command to **** the zone

zenlakin

Ok, so that is how I get the zone info right? Then what would I be looking for to perform an actual zone tranfer?

royal

That does an actual zone transfer.

So:
nslookup
set type=all
ls domain > C:\domainzonedump.txt

Tyrant1919

I tried this and got an error:

nslookup
set type=brownies
unknown query type: brownies

What the heck, I'm cravin' a brownie and get nothin'?

But to add something, you shouldn't be able to use that command to get anything from a DNS server of yours. I just checked all ours just for some g wiz info.

dynamik

Tyrant1919 wrote:

But to add something, you shouldn't be able to use that command to get anything from a DNS server of yours.

I agree, you shouldn't be able to do that.

However, zone transfers are allowed in Win2k by default. They changed that behavior in Win2k3. I'm not sure about default behavior for the various versions of BIND though.

astorrs

Tyrant1919 wrote:

I tried this and got an error:

nslookup
set type=brownies
unknown query type: brownies

What the heck, I'm cravin' a brownie and get nothin'?

Silly Tyrant, you forgot that you need to use abbreviations.

For example:

LCO = Lemon COffeecake
MF = Meringue de Framboise
PTR = Pavlova with Tangerines and Raspberries
RT = Red cherry Torte
SIG = Strawberry Ice cream Gateau

snadam

astorrs wrote:

Tyrant1919 wrote:

I tried this and got an error:

nslookup
set type=brownies
unknown query type: brownies

What the heck, I'm cravin' a brownie and get nothin'?

Silly Tyrant, you forgot that you need to use abbreviations.

For example:

LCO = Lemon COffeecake
MF = Meringue de Framboise
PTR = Pavlova with Tangerines and Raspberries
RT = Red cherry Torte
SIG = Strawberry Ice cream Gateau

you forgot about one very important querey type:
CCC= Chocolate Chip Cookies

:P

astorrs

I screwed up on the location (LOC) one, should have been LemOn Coffeecake.

CCC isn't valid, DNS can't help you find that dessert, sorry.

Sie

Just create a CNAME Record for COOKIE to 209.62.5.3 , theres usually someone there that has a few

HeroPsycho

mmm, 127.0.0.1-made-cookies! :P

astorrs

Sie, I bow to your wisdom - you have resolved the cookie lookup problem.

I looked and there are no cookies anywhere in my house, Hero can you PM one to me?

dynamik

I love being associated with you guys. It makes me seem cool for a change