Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. Zone transfers are absolutely critical to the proper functioning of DNS. Using zone transfer provides fault tolerance by synchronizing the zone file in a primary DNS server with the zone file in a secondary DNS server. In general, there are two types of zone transfers, AXFR (entire zone is transferred). IXFR (only incremental changes are transferred).
However, there are also risks associated with zone transfers. If DNS zone transfers are done using the AXFR protocol, there is no encryption and there is no authentication. Anyone can get the whole zone using the AXFR protocol. Malicious hackers may use the information contained in zones to conduct attacks. You can refer to this link for more information on this:
https://null-byte.wonderhowto.com/forum/zone-transfer-attack-dns-0179845/
You can run the below command to see if zone transfers are enabled/disabled on your name servers:
dig AXFR DOMAIN-NAME @NAME_SERVER
DOMAIN_NAME: Must refer to a domain hosted on your server
NAME_SERVER: Must refer to the IP or the hostname for your DNS server where the zone file for the above domain is hosted.
@ This is a required character and should not be removed
When you run the above command, if you get the entire zone's DNS data in response, then this means that zone transfers are enabled. However, if you get something similar to this (below) in response, that means zone transfers are disabled:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.4 <<>> AXFR $DIMAIN_NAME @NAME_SERVER
;; global options: +cmd
; Transfer failed.
BIND:
On a BIND server, in order to disable zone transfers you need to add and modify the following configuration value:
allow-transfer
This specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the allow-transfer statement set in options or view. If not specified, the default is to allow transfers to all hosts.
https://bind9.readthedocs.io/en/v9_16_6/reference.html?highlight=allow-transfer
As this snippet from BIND's documentation suggests, on BIND the default behavior is to allow zone transfers. You can change this behavior and disable zone transfers by adding the following snippet to BIND's configuration file at /etc/named.conf:
options {
allow-transfer { "none"; };
};
Note: If the option { } section already exists in the configuration file then you only need to add the allow-transfer directive to the option section.
On a cPanel server, after making the above change you will need to run the following two commands to rebuild BIND's configuration and restart it:
/scripts/buildnsdconf
/scripts/restartsrv_named
Note: On some servers, including Almalinux servers, the first script might be missing. You should simply run the second script to restart the server. That should also suffice to re-read the configuration file.
PowerDNS:
For PowerDNS the option that needs to modified is this:
disable-axfr=yes
You need to make sure that this value is added to your configuration file at /etc/pdns/pdns.conf. By default, this value is set to "No", which means that by default zone transfers are allowed as explained by this snippet from PDNS's official documentation:
disable-axfr
- Boolean
- Default: no
Do not allow zone transfers.
https://doc.powerdns.com/authoritative/settings.html
After adding the above value, you need to run the same commands previously mentioned to rebuild and restart the name server to make the changes permanent:
/scripts/buildnsdconf
/scripts/restartsrv_named
Other Transfer-related Options:
Completely disabling zone transfers is not always desired or practical, specifically in case you have a DNS cluster and you wish at least the nodes on your cluster to be able to send AXFR/IXFR requests amongst themselves. In such situations, you need to enable zone transfers but place certain limitations on who is able to ask for zone transfers and under what conditions these requests should be sent/received. These limitations and conditions are usually based on the IP address of the sender, availability of certain security keys, the existence of certain qualifying conditions in the request body itself, and quite a few other things. The good news is that both BIND and PowerDNS have a plethora of options to make sure that only a few trusted systems are able to successfully communicate with your server via AXFR and IXFR. To give you an idea of what kind of options are there, I will add here a few of PowerDNS' transfer-related options and also a link to PowerDNS' documentation page where you would be able to find sufficient information about each of these options and their accepted range of values:
grep -Ei "(xfr|transfer)" /etc/pdns/pdns.conf | awk '{ print $2 }' | awk -F"=" '{print$1}'
allow-axfr-ips
allow-axfr-ips
allow-notify-from
axfr-fetch-timeout
axfr-fetch-timeout
axfr-lower-serial
axfr-lower-serial
disable-axfr
disable-axfr
disable-axfr-rectify
disable-axfr-rectify
lua-axfr-script
lua-axfr-script
only-notify
outgoing-axfr-expand-alias
outgoing-axfr-expand-alias
retrieval-threads
xfr-max-received-mbytes
xfr-max-received-mbytes
https://doc.powerdns.com/authoritative/settings.html
BIND also has a similar set of options. You can refer to this link for more information:
https://bind9.readthedocs.io/en/v9_16_6/reference.html