dig AXFR
The dig AXFR command is used to perform a DNS zone transfer using the dig tool, a DNS lookup utility commonly found on Unix-like systems. Zone transfers are mechanisms used to replicate DNS databases across DNS servers, typically between a primary (master) and secondary (slave) server.
What Is AXFR?
AXFR stands for Asynchronous Full Zone Transfer. It’s a type of DNS query that requests a full copy of a DNS zone file from a server. This includes all DNS records (A, MX, NS, TXT, etc.) for a domain.
Purpose of dig AXFR
- Legitimate Use: DNS administrators use AXFR to synchronize DNS data between servers.
- Security Testing: Penetration testers use it to check if a DNS server is misconfigured and allows unauthorized zone transfers, which can expose internal hostnames and IPs.
How to Use dig AXFR
Basic Syntax:
- AXFR: Specifies the type of DNS query.
- example.com: The domain you want to query.
- @ns1.example.com: The authoritative name server to query.
Example Output:
If successful, the output will list all DNS records for the domain:
example.com. 3600 IN A 192.0.2.1
www.example.com. 3600 IN A 192.0.2.2
mail.example.com.3600 IN MX 10 mail.example.com.
...
Security Implications
- Misconfigured DNS servers that allow AXFR to anyone can leak sensitive infrastructure details.
- Best practice: Restrict AXFR to trusted IPs (usually secondary DNS servers).
How to Prevent Unauthorized AXFR
- Configure your DNS server to deny AXFR requests from unauthorized sources.
- Use TSIG (Transaction SIGnature) for authenticated zone transfers.
- Monitor DNS traffic for unusual AXFR attempts.
Tools That Support AXFR
- dig (most common)
- nslookup (less flexible)
- host
- Security tools like Recon-ng, dnsenum, and Nmap also check for AXFR vulnerabilities.
No comments:
Post a Comment