A zone transfer is a particular kind of DNS query that requests all the current details of a particular zone or (usually) Internet domain.

The most common use is when a secondary DNS needs to update its information on the domain it is "secondarying". This may happen for various reasons, the most common of which is when the information has changed on the primary DNS (the nameserver which holds the definitive information on the domain.)

Suppose a new address for a webserver needs to be added to a domain. The admin changes the zonefile defining the domain, adding the address record for the new webserver, increments the serial number in the SOA record, and tells the primary to reload the domain. Then the DNS software (usually BIND) will notice that the serial number has got bigger, and will send a notify request to all the other nameservers that appear in the NS records for the domain (these are the "secondaries".)

Something like the following (on BIND, anyway) will appear in the logs:

Sent NOTIFY for "mydomain.org IN SOA 2002031003" (mydomain.org); 1 NS, 1 A

indicating that mydomain.org now has serial number 2002031003 in its SOA record ("Source Of Authority").

The secondary DNS thus notified will (hopefully!) acknowledge the request, then compare the new serial number with its own version. If (and only if) the new serial number is greater than its own, the secondary will then make a zone transfer request, and the primary will "dump" all the information in the zonefile back to it. With BIND, something like

Received NOTIFY answer (AA) from 10.1.1.2 for "mydomain.org IN SOA"
approved AXFR from [10.1.1.2].4072 for "mydomain.org"
zone transfer (AXFR) of "mydomain.org" (IN) to [10.1.1.2].4072

will appear in the logs on the primary, indicating the new zone information has been transferred correctly. ("AXFR" stands for "approved transfer"; the "(IN)" just means this is an Internet domain.)

In contrast to the usual DNS custom, zone transfers often take place over a TCP, rather than a UDP connection.

The primary nameserver may control which IP addresses are authorised to make zone transfers - advisable, because if you don't do this, you are allowing any host on the net to get every last bit of information about your domain! (Security through obscurity is no substitute for real security, but why make things easier than they could be? Such information is valuable to anyone "hacking" or just more-than-casually investigating your domain.)

Control (in BIND) is achieved through the allow-transfer directive in the named.conf file (the master configuration file for the entire nameserver). For example, you might have the following in named.conf:


      zone "mydomain.org" IN {
              type master;
              file "mydomain.org.hosts";
              allow-transfer { 192.168.1.1; 10.1.1.2; };
              notify yes;
      };

This ensures that only IP addresses 192.168.1.1 and 10.1.1.2 are allowed to make a zone transfer request. Any other IP address doing so will get an unspecified error.

If this control is not in place, you can freely make a zone transfer request, and snarf all the info on the domain. One way of doing this is by using the (now sadly deprecated, but still much loved) utility nslookup as follows:

      # nslookup                  (we issue the nslookup command)
      Default server: localhost   (you are running your own DNS, right?)
      Address: 0.0.0.0

      >
      >server victimdns.mydomain.org  (we say which dns we want to query)
      Default server: victimdns.mydomain.org
      Address: 10.1.1.1

      >
      >ls mydomain.org             (now we request the zone transfer)
      $ORIGIN mydomain.org.
      victimdns           1H IN A 10.1.1.1
      victim2ndry         1H IN A 10.1.1.2
      www                 1H IN A 10.1.1.3
      mail                1H IN A 10.1.1.4
      secret-1            1H IN A 10.1.1.253
      secret-2            1H IN A 10.1.1.252
      secret-web-alias    1H IN A 10.1.1.3
      [...] (and so on..)

In fact, this doesn't list out all the records in the zonefile, just the A records (address records), but it does work by doing a zone transfer, and will cause entries indicating this to appear in the logs on victimdns.mydomain.org. If you really must have all the information on mydomain.org, one way of doing it is to set up a DNS on your own machine, and tell it it is a secondary for that domain, and the IP of the primary. It will then go fetch the full details for your perusal, which will appear (in BIND) in a specially formatted zonefile in the appropriate directory.

Log in or register to write something here or to contact authors.