Restricting zone transfers with IP addresses in BIND DNS Server

DNS server can be attacked using various techniques such as

ADVERTISEMENTS

[a] DNS spoofing

[b] Cache poisoning

[c] Registration hijacking

One of the simplest ways to defend is limit zone transfers between nameservers by defining ACL. I see many admin allows BIND to transfer zones in bulk outside their network or organization. There is no need to do this. Remember you don’t have to make an attacker’s life easier.

How to restrict zone trasfer with IP address?

You need to define ACL in /etc/named.conf file. Let us say IP 192.168.191.10 and 25.111.24.6 are allowed to transfer your zones.
# vi named.conf
Here is sample entery for domain nixcraft.com (ns1 configuration):

acl trusted-servers  {
        192.168.191.10;  //ns2
        25.111.24.6;   //ns3
};
zone nixcraft.com  {
        type master;
        file "zones/nixcraft.com";
        allow-transfer { trusted-servers; };
};

Next add zone nixcraft.com. Please note that you must use set of hosts later in each zone’s configuration block i.e. put line allow-transfer { trusted-servers; }; for each zone / domain name. Restart named:
# /etc/init.d/named restart

How do I test zone transfers restrictions are working or not?

Use any UNIX dns tool command such as nslookup, host or dig. For example, following example uses host command to request zone transfer:
$ host -T axfr nixcraft.com
Output:

;; Connection to 74.86.49.133#53(74.86.49.133) for axfr failed: connection refused.

Transaction signatures (TSIG)

Another recommend option is to use transaction signatures (TSIG) to authorize zone transfers. This makes more difficult to spoof IP addresses.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
4 comments… add one
  • Ulrich Wisser Oct 16, 2007 @ 11:36

    Hi,

    why would you like to restrict your zone transfer? You will allow any resolver to ask for the same data, but you won’t allow a transfer? I suggest you put only public data in your zone file and don’t care about the zone transfer. If you have to have private data in a zone file, set up an internal DNS master (or use split DNS) with a private zone file and restrict access for resolvers and zone transfer.

    Ulrich

  • 🐧 nixCraft Oct 16, 2007 @ 12:36

    Yes this information is publicly available through BIND server, there is no reason to make an attacker’s life easier. There is no legitimate reason for anyone outside your organization to transfer your zones in bulk.

  • äijö Dec 28, 2008 @ 18:26

    Ulrich: are you able to recognize authorative and resolve DNS server? You cannot run both on this same IP address, so if you need authorative server for your domains, you should restrict zone transfers only to slaves. If it’s necessary to having resolver in local network, run it on local address.

  • angelblade Oct 29, 2015 @ 20:19

    Can a zone be configured without a file? Because on my zone, i dont have control over the domain.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.