closeup photo of turned-on blue and white laptop computer
Thu Dec 15

What is Zone Transfer?

You may have already known that DNS (Domain Name System) helps users to convert IP addresses into names which are more familiar to humans. Before DNS was first described and implemented around the 80’s. the records of the IP address with its hostnames stored in a file called “hosts”.

Currently, it is still used as an alternative name resolution for DNS. However, it is very impractical due to the network growing larger, yet hosts file was still stored on each individual’s computers and maintaining it would be a nightmare. These are the reasons DNS was developed.

What is zone transfer?

Today, all of the information regarding the IP addresses and the hostnames is stored in a server called DNS Server which is structurally better. The entire information is then stored in a file called zone file. Indeed, backups are required due to its urgency to prevent data loss in the event of an unforeseen event.

The main server is called the primary DNS server and the server where the backups are stored is called the secondary DNS server. Zone transfer is simply the process of copying the zone file. In this case, the backup is done using zone transfer. This file is then called the secondary zone.

What is the DNS zone?

At this point, you might be wondering, why is it called a zone file? If you have read the previous article about DNS here, then you might have already known that DNS is structured in a hierarchical manner. This is what we call a zone.

Because each file belongs to each zone, it is known as a zone file. Each zone is also managed by a specific organization. For example, The ICANN (Internet Corporation for Assigned Names and Numbers) is in charge of managing the root zone. On the other hand, IANA (Internet Assigned Number Authority) is in charge of managing the TLD zone which is a branch of ICANN.

How does zone transfer work?

Transport Layer

The communication between the servers works primarily at the top of TCP instead of UDP though, it is still possible just by simply using UDP which is more lightweight. Why? UDP does not guarantee consistency and reliability, which are crucial for zone databases. Thus it is not suitable for transferring large packet data and very small maximum size safe payload (learn more about TCP and UDP here).

However, the entire process actually uses both TCP and UDP using port 53. That being said, the TCP connection is used for the zone transfer (copying zone file). On the other hand, UDP is only used for names and queries due to its limitation.

AXFR vs IXFR

The zone transfer can be done in two different mechanisms, full zone transfer (AXFR - Authoritative Transfer) and incremental zone transfer (IXFR - Incremental Transfer). By the definitions, it is easier to understand that the full zone transfer is when the secondary server copies the entire DNS records. On the contrary, The incremental means that the secondary server only asks partial information from the primary server. This mechanism (IXFR) is commonly used for zone update.

Zone Transfer Master-Slave

DNS server works as master and slave. The primary server is deemed as master where the original copies of zone records are stored. Conversely, the slave server (secondary server) is where the copies of master zone records are stored. In fact, the slaves can be more than one.

When the master server notices any change in the zone file, it will notify all the slaves using a message with opcode NOTIFY by checking the list of the NS server in the records. Nevertheless, this is still a completely client-driven process that can only be executed when the client initiates it. In this case, the primary server will act as the server and the secondary server will act as a client.

SOA record

In a previous [post](https://www.binaryte.com/blog/dns-and-dns-records- explained), it is mentioned that there are several types of DNS records. SOA record is just another type of record that is not included in that list. It stands for Start of Authority. The purpose of this record is to provide administrative information related to the DNS zone.

Let’s have a quick look at this example below.

example.com.  3600 IN SOA ns.icann.org. noc.dns.icann.org. 2022091169 7200 3600 1209600 3600

Source example.com

The example above is the SOA record of example.com. There are some information to know to get a good grasp of how it is related to zone transfer.

  • example.com. - domain name server
  • 3600 - Time-to-live (TTL)
  • IN - zone class (IN for Internet)
  • SOA - type of the record
  • ns.icann.org. - primary name server (MNAME)
  • noc.dns.icann.org. - administrator’s email address (RNAME)
  • 2022091169 - serial number
  • 7200 - the waiting time for secondary server when asking for changes (REFRESH)
  • 3600 - retry time if the request fails (RETRY)
  • 1209600 - limit before secondary name servers expire as a result of not getting a refresh on the data (EXPIRE)
  • 3600 - minimum TTL for this domain (MINIMUM)

What are zone transfer vulnerabilities?

Zone files can contain lots of information regarding the web server. Therefore, it is often extracted by the attackers to get information about their target. The SOA record above is just a minuscule portion of information that can be retrieved.

Based on this record only, we can at least gather some information. First and the most obvious one is the email address of the administrator. In many cases, the RNAME may contain a more simple name like [email protected] which will be represented as john.gmail.com. From the example above, you won’t be so we may not be sure whether the email is [email protected] or [email protected]. Just by searching on the internet, we can be sure that the email address is [email protected].

Next, the serial number. If you take a closer look, it may look like a date. Possibly, you are correct since the convention uses the date-based value. The most common date format is “yyyymmddss”. The last one (ss) is a sequence in case the update occurs multiple times in a day.

Checking at the example above, we can say that the recent update is on September 11th, 2022. At this point, we conclude that this domain is probably still active as the recent update is not way too long from the time when this article was written on December 15th, 2002.

Conclusion

In conclusion, zone transfer is a process of copying the zone file from the primary DNS server to the secondary DNS server. It is essential for backup and redundancy purposes. Zone transfer can be done using two methods: full zone transfer (AXFR) and incremental zone transfer (IXFR). The zone file contains the SOA record which provides administrative information about the DNS zone. However, zone transfer can also pose some security risks as it can expose sensitive information about the network to potential attackers. Therefore, it is important to configure the DNS server properly and restrict unauthorized access to the zone file.

You might like

Checksum Algorithm: A Guide to Data Verification

Checksums are sequences of numbers and letters that help you check data for errors. Learn what checksums are and how to use them effectively in this article.
IDOR Vulnerability Explained With Example

IDOR is a common and dangerous web application vulnerability that allows attackers to access internal objects that they are not authorized to. In this article, you will learn what IDOR is, how it works, and how to prevent it with secure coding practices and security testing. Don't let IDOR expose your sensitive data or resources! Protect your web applications and click here to learn!