Preface: DNS zone transferLogo -Internet Security Systems

DNS zone transfer
advICE :Intrusions : 2000401
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary Scan. Somebody is downloading the DNS configuration tables from your server.

Details

Most DNS queries consist of a request to resolve a domain name into a single IP address. However, other options are supported by DNS servers. One such option is known as a "Zone Transfer" where somebody can download the entire table of names and IP addresses.

Some network management products will do this, but when seen on the Internet, this usually indicates the reconnaissance stage of a hacker attack. By downloading this table, the hacker effectively maps our your network. The IP addresses indicate which hosts are likely to be active, whereas the human-readable names often indicate the location of important servers, as well as revealing user names.

False Positives

If the intruder is a host known to you, then this could be part of a normal network maintenance routine.

Also, some customers are running DNS lookup programs like 'nslookup' or 'dig' on their own machines. This will trigger an alert on the product fingering your own system as the attacker.

Defense

Zone Transfers can be disabled in many DNS servers (in bind, use the allow-transfer option in named.conf). Another defense would be use make sure that no useful information is available via the transfer.

 more information
DNS  
How to configure and harden your DNS server to defend against hackers. In particular, you should consider a "split-DNS" strategy, separating internal DNS servers from external ones. More about the DNS service.  
advICE: Reconnaissance  
More info about hacker scans against the system.  

 parametric information
portThe source port of the DNS request.

 
Version appeared:
Privacy Policy |  Copyright Info