Is there a clear and supported way to block a Zone Transfer out?
A common recon tactic of an attacker of any hat colour is to find the local DNS and zone(s), then attempt to pull it all for a great map of the network.
The current setup is wide open, and a simple dig command gives me the entire zone details that can be piped to a text file. Great for documentation, really, really, bad for security (might as well give the attacker a whole network map).
Turning down the Transfers out for a server doesn't work, can't even change it at all, so never mind getting it all the way down to 0.
We can specify a single IP for allowed that appears to block, but then what to pick that is actually secure?
Experiments running on that front, and challenging my pentester friends for ways through my tests. It is easy enough to add a host for some documentation and then take that away.
Thoughts and comments?
________________________
Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.