No
Yes
5
DNS (Domain Name System) is a service that translates domain names into IP addresses. Users can easily remember domain names, but he computers understand IP addresses that’s why we need DNS. For example, without this service, you have to type '185.60.216.35' in your browser instead of www.facebook.com to access Facebook. IP - Domain mappings are kept on DNS servers. You can query those matches on securityforeveryone.com
There is two type of IP addresses IPv4, and IPv6. IPv4 address looks like these:
8.8.8.8 127.0.0.1 255.255.255.255
IPv6 addressed looks like these (all of them are the same IP):
::ffff:808:808 0:0:0:0:0:ffff:0808:0808 0000:0000:0000:0000:0000:ffff:0808:0808
Zone transfer is actually a mechanism to share information between DNS servers. This process uses a protocol called AXFR. With this protocol, ZONE files on a DNS server, containing various DNS information are transferred from one server to another.
AXFR is also used in DNS queries to get zone information. An attacker can make this query to your DNS server. If your DNS server is not configured correctly, it will respond all the queries regarding to your domain name records (a, ns, mx, cname, txt etc.). With DNS zone transfer, attackers can learn all DNS information for your domain (including subdomains).
To test DNS zone transfer online use our tool. Write your domain on the form that top of the page, that's all. If you want to test it yourself, continue to reading.
If you are using a Linux or an OS X operating system, open terminal and type dig -t axfr yourdomain.com. If your DNS server allow to transfer zone files, it would look like that:
dig -t axfr securityforeveryone.com ;; global options: +cmd securityforeveryone.com. 86400 IN SOA ns1.securityforeveryone.com. info.securityforeveryone.com. 2020040313 securityforeveryone.com. 86400 IN A 1.1.1.1 securityforeveryone.com. 86400 IN NS ns1.securityforeveryone.com. test.securityforeveryone.com. 86400 IN A 1.1.1.1 sub.securityforeveryone.com. 86400 IN A 8.8.8.8 devel.securityforeveryone.com. 86400 IN A 8.8.8.8 other.securityforeveryone.com. 86400 IN A 8.8.8.8 mail.securityforeveryone.com. 86400 IN A 8.8.8.8 mail2.securityforeveryone.com. 86400 IN A 8.8.8.8 www.securityforeveryone.com. 86400 IN CNAME securityforeveryone.com.
Unless you are not a system administrator, you cannot do anything about the zone transfer. To fix this issue, only trusted IP addresses must be allowed for DNS zone transfer. To do that there are multiple ways. If you are using BIND DNS which is one of the most used DNS server in the world, first define an ACL.
acl trusted-servers { 1.1.1.1 //name server you know 2.2.2.2; //another name server };
Then add this to zone info:
allow-transfer { trusted-servers; };