Securing DNS from a common Recon tactic

Is there a clear and supported way to block a Zone Transfer out?
A common recon tactic of an attacker of any hat colour is to find the local DNS and zone(s), then attempt to pull it all for a great map of the network.

The current setup is wide open, and a simple dig command gives me the entire zone details that can be piped to a text file.  Great for documentation, really, really, bad for security (might as well give the attacker a whole network map).

Turning down the Transfers out for a server doesn't work, can't even change it at all, so never mind getting it all the way down to 0.
We can specify a single IP for allowed that appears to block, but then what to pick that is actually secure?  
Experiments running on that front, and challenging my pentester friends for ways through my tests.  It is easy enough to add a host for some documentation and then take that away.

Thoughts and comments?

________________________

Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

Tags:

  • 0  

    Hi,

    I did it in the past and I was pushed to add IP address of DNS server server for zone transfers, without this setting I wasn't able to do zone transfers. This one stopped working ?

    David

  • 0   in reply to   

    In my case, we don't need any zone transfers.  So the objective was to block them entirely from being used for breacher/attacker reconnaissance. 

    With the default settings, I could so easily do zone transfers as a documentation effort for each zone
         # dig axfr 10.IN-ADDR.ARPA @{ipDNSserver) >zonetext.bind

    When you are trying to do zone transfer, and there is anything in the 'Zone Out Filter'  then what is in there is the only places that can do the zone transfer, and for others you have to add them.  (and restart the service)

    The thing that appears broken is the ability to adjust how many transfers can be happening at a given time.  Appears to be nailed down to 10 threads, even though looks like one can put another number in there, it just never saves it.
       per DNS server, Advanced, transfers-*   I can engage Modify, put numbers in there, but the OK button doesn't do anything.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.