Preventing DNS Zone Transfers using ACLs in named.conf
DNS servers can be attacked using various techniques including:
- DNS spoofing
- Cache poisoning
- Registration hijacking
One of the simplest ways to defend is to strictly limit zone transfers between nameservers by defining an ACL. Many system administrators allows BIND to transfer zones in bulk outside of their network or organisation. This is an attack vector. You can prevent this by using ACLs:
Define an ACL in /etc/named.conf file. For example: IP 192.168.3.15 and 212.34.18.156 are allowed to transfer your zones.
# vi named.conf
(sample entry for domain darenmatthews.com (ns1) configuration):
acl trusted-servers {
192.168.3.15; //ns2
212.34.18.156; //ns3
};
zone darenmatthews.com {
type master;
file "zones/darenmatthews.com";
allow-transfer { trusted-servers; };
};
Note that you must do this for each zone’s configuration block i.e. put line allow-transfer { trusted-servers; }; for each zone / domain name.
Restart named:
# /etc/init.d/named restart
Testing:
Use any Linux DNS tool command such as nslookup, host or dig. For example, following example uses host command to request zone transfer:
$ host -T axfr darenmatthews.com
response:
;; Connection to 74.10.15.34#53(74.10.15.34) for axfr failed: connection refused.