Simple ways to improve your DNS resilience and security: #2 Zone Transfers

Having designed a redundant DNS infrastructure, one of the most common mistakes is failing to ensure that secondary nameservers can successfully replicate data for the domains it is hosting. The most common way this is done on the Internet is though zone transfers - the AXFR command. This command causes a DNS server to reply with all the data it knows for a domain.

Historically it was common for all DNS nameservers to allow all other Internet hosts to perform zone transfers. Over time this disclosure of information came to be seen as a security threat and so blocking of this command became common. We now frequently find configurations that have gone too far - even blocking zone transfers from the hosts that should legitimately be performing them.

Windows DNS server complicates this even further. In a Windows only environment, replication of data between DNS servers is performed using Active Directory and zone transfers are redundant and can be disabled entirely. The problem comes when trying to replicate data to external DNS services that aren't compatible with the Active Directory environment.

When configuring secondary nameservers, test that they are successfully replicating DNS information. Either check your logs, or make changes and send queries to the secondary nameservers that test for successful replication. Consider setting up regular checks in your system monitoring environment. Try sending zone transfer requests from systems that should not be able to.

Now you can be confident that your secondary nameservers are successfully replicating data without exposing sensitive data to the Internet.

Part of a series on improving DNS resilience and security. Read part one: https://community.ja.net/blogs/csirt/article/simple-ways-improve-your-dns-resilience-and-security-1-redundancy