Web Development

Lock IT Down: Block DNS zone transfers to protect your servers

Protect enterprise servers by blocking DNS zone transfers

Security through obscurity.This mantra has been chanted in IT security circles for ages. Basically, it means that one of the first steps in achieving a secure network is to provide as little information as possible to people outside the network. The less information you provide to outsiders, the less they have to work with when attempting to gain unauthorized access to the network. One way to protect this information is by restricting DNS zone transfers.

I'll start with a look at the security implications of DNS zone transfers. Then, I'll show you how to block them on some common platforms and allow them only to the hosts you specify.

Be careful where you tread
In and of themselves, zone transfers are not bad things. In fact, many organizations make use of zone transfers to keep DNS servers up to date. Without the mechanism in place, keeping redundant DNS servers running would be much more difficult. However, hackers can use zone transfers to gain valuable information. How valuable? They can get a list of all your DNS records, which can expose lots of juicy details about your servers.

Windows 2000
Because of Win2K's inherent requirement for DNS services to be loaded to use it as a domain controller, many organizations are using it for all of their DNS needs. For this example, I have set up a Windows 2000 DNS server named lab2k, which is both a domain controller and the DNS server for the lab2kd.com domain.

By default, Windows 2000 DNS zones will happily transfer any zone information they have to any server that asks for it, as shown in Figure A.

Figure A
This zone can be transferred anywhere upon request.


Locking it down
To open the properties for a particular zone, start the DNS administration utility from Start | Programs | Administrative Tools | DNS, and expand the option for your local server as well as the local lookup zones. Right-click on the zone whose zone transfers you want to restrict, choose Properties, and click on the Zone Transfers tab.

Several options are available to secure your zone information (as shown in Figure A). First, you can simply disallow all zone transfers. Although this may work well for an Active Directory integrated domain where the information is stored in the directory and therefore accessible to other domain DNS servers, it won’t work in situations where a zone transfer is the only way to keep those other servers current.

If you need to allow zone transfers, you can limit them to other DNS servers in your domain by selecting Only To Servers Listed On The Name Servers Tab. Finally, for more granular control, you can specify the IP addresses by selecting Only To The Following Servers and then listing the IP addresses of those servers.

Making these changes will prevent unauthorized access to your Windows 2000 zone information and will make it more difficult for potential intruders to gain access to your network.

Windows NT 4
Like Win2K, Windows NT allows unfettered zone transfers by default. To modify this behavior, start the DNS Manager by clicking Start | Programs | Administrative Tools | DNS Manager, and then expand your server. Right-click on the zone you want to administer, choose Properties, and click on the Notify tab.

This tab contains a list of IP addresses that are notified when changes are made to a resource record. To restrict zone transfers to only these secondaries, select Only Allow Access From Secondaries Included On Notify List (Figure B) and then click OK.

Figure B
Restricting a zone transfer to only 192.168.1.204


BIND on Linux/UNIX
BIND, one of the most popular DNS servers on the Internet, can be found as the default DNS server for many Linux and UNIX distributions. As such, it is important to determine how to handle zone transfers on that platform as well.

BIND’sprimary configuration takes places in the /etc/named.conf file for BIND 8 and 9 (/etc/named.boot for BIND 4, which you should consider upgrading if you are still running). This is a text file with a number of directives that control how BIND will respond to various situations. BIND’s default configuration, like Win2K's and WinNT's, allows a zone transfer to take place from anywhere.

To secure your BIND server, you must open the /etc/named.conf (or /etc/named.boot) file in a text editor and find the line marked “allow-transfer { any; };” which indicates that any IP address is allowed to get zone information. In this example, I want to allow zone transfers to take place only between my Red Hat 8 server, my Windows NT server with IP address 192.168.1.4, and another server with IP address 172.16.1.5. Therefore, I will change the allow-transfer line to read like the following:
allow-transfer{192.168.1.4; 172.16.1.5; };

Summary
Securing your DNS information from prying eyes may sound like a trivial task. But protecting this wealth of information from examination by the unscrupulous can help save your systems from targeted attacks. Restricting access to DNS information will help obscure your network to hackers and make it more difficult for the network to be compromised.
0 comments

Editor's Picks