• jmanjones@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    When I was talking my cyber security / ethical hacking class, we learned how to do zone transfer. The concept never stuck and I basically “copy” from my friend. So what exactly is a DNS Zone Transfer?

    • grandkaiser@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Friday I was doing a zone transfer! What are the odds?

      A zone transfer is like moving houses, except for an authoritative zone.

      In DNS, we have what’s called an authoritative zone. That means the device hosting the “resource records” (all the data that DNS passes around) is the “ultimate” answer. I.e, it’s not cached data. It’s not a hosts file. It’s not a recursive answer. It’s the real deal.

      When you want to move the authoritative zone to another server, you do a “zone transfer” that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).

      • jmanjones@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?

        • grandkaiser@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a ‘bad actor’ DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.

          Let’s say you’re Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we’re skipping caching & non-authoritative answers for brevity):

          1. You type “lemmy.world” into your browser
          2. Your computer initiates a stub resolution for lemmy.world. (the trailing dot here isn’t a period. It’s the “true” FQDN)
          3. Computer looks at hosts file and doesn’t see anything
          4. DNS packets are sent to your configured DNS server. If you don’t have one configured, DHCP already configured it for you
          5. Your DNS server performs a recursive search for world by asking the root zone where the “world” Name Serer is
          6. root zone resolves world as:

          world. 3600 IN NS v0n0.nic.world.

          world. 3600 IN NS v0n1.nic.world.

          world. 3600 IN NS v0n2.nic.world.

          world. 3600 IN NS v0n3.nic.world.

          world. 3600 IN NS v2n0.nic.world.

          world. 3600 IN NS v2n1.nic.world.

          1. Your DNS server reaches out to one of those Name Server’s (That’s what the NS record is for) and asks it where “lemmy” is
          2. world Name Server responds with:

          lemmy.world. 300 IN A 172.67.218.212

          lemmy.world. 300 IN A 104.21.53.208

          1. Your DNS server contacts your computer and serves it those IP addresses. (A record’s are domain name to IP Address)

          Now lets say there’s a DNS spoof attack:

          1. Before the “world” server can get back to your DNS server, the hackers server interjects with it’s own authoritative claim that lemmy is here:

          lemmy.world. 300 IN A [attack site IP]

          1. Your DNS server contacts your computer and serves it that IP address. Your computer then contacts the attack site and you get a virus.