Compilenix's Blog - DNS server's zone transfer settings

RSS Feed | Find Stuff

Take care of your DNS server's zone transfer settings, if anyone are allowed to trigger a AXFR (Asynchronous Full Transfer Zone) this could be used by attackers to get information about any subdomains, aliases, MX hosts etc.. compilenix.org was affacted too, until now :(

You can test if your domain(-server) are configured correctly

DOMAIN="YOURDOMAIN.TLD"
dig NS $DOMAIN +short | sed -e "s/\.$//g" | while read nameserver; do echo "Testing $DOMAIN @ $nameserver"; dig AXFR $DOMAIN "@$nameserver"; done

There should be something like:

Testing compilenix.org @ ns1.compilenix.org

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> AXFR compilenix.org @ns1.compilenix.org
;; global options: +cmd
; Transfer failed.
Testing compilenix.org @ ns2.compilenix.org

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> AXFR compilenix.org @ns2.compilenix.org
;; global options: +cmd
; Transfer failed.

Find here, more details of the feature you will: rfc 5936

Ref's:
heise.de
internetwache.org

With you, may the force be.