S 4.351 Secure zone transfers
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
A zone transfer synchronises the domain information between a primary DNS server and one or several secondary DNS servers. The primary DNS server reads the domain information from the master files and zone transfers are used to transmit this information to the secondary DNS server/s. Two security aspects should be taken into consideration for a zone transfer:
- It must be ensured that the zone transfer between the primary and the secondary DNS server actually works, and
- No unauthorised zone transfers must be possible.
In order to guarantee the functionality of a zone transfer, the proper functionality should be checked upon completion of all changes to the settings for zone transfers. For example, a zone transfer can be performed for this. Then, the log files are used to check if errors have occurred. If the zone extent is not too large, it is possible to manually compare the domain information administrated by the primary DNS server to the domain information on the secondary DNS server.
In order to prevent unauthorised persons from starting a zone transfer and thereby obtaining domain information of a zone, zone transfers must be configured in such a way that they are only possible between primary and secondary DNS servers. This must be ensured by a restriction to the IP addresses of the DNS servers at least, but the use of transaction signatures (TSIG) is more secure. The restrictions via IP addresses are as follows: On the primary DNS server, the related secondary DNS servers must be configured for every zone. This is done by specifying one or several IP addresses. The primary DNS server responsible for a certain zone must be configured on the secondary DNS server/s.
Securing zone transfers via TSIG offers an increased level of security. When using TSIG, symmetrical keys are defined on the primary DNS server and on the secondary DNS server/s. Once a zone transfer is started, TSIG uses the binary data of the request to generate a hash message authentication code (HMAC) with the help of the symmetrical key and a hash function. The HMAC is attached to the request. The secondary DNS server , which also knows the key, calculates the HMAC independently. If the received and the calculated HMAC match, the zone transfer is performed; otherwise, it will be rejected. This method also provides protection against IP spoofing, unlike IP address-based protection. However, when using TSIG it must be taken into consideration that not every DNS server product provides this functionality and that the implementation of this functionality may deviate from the standard.
Review questions:
- Are DNS zone transfers functional?
- Are DNS zone transfers only allowed between the primary DNS server and the secondary DNS server/s of a zone?