If someone tries to do a DNS zone transfer, would it trigger an IDS (if one is installed)?
Printable View
If someone tries to do a DNS zone transfer, would it trigger an IDS (if one is installed)?
Depends on if you configured your IDS to look for it or not. All signature based IDS systems run policies that are essentially lists of enabled/disabled signatures, so if you are looking for it, the answer would be maybe :) There could be other things like packet fragmentation, load on the IDS, the speed of the connection, etc that can all have an effect on whether or not an IDS detects the traffic.
Snort has an active sig to detect zone transfers out of the box.
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;)
I thought The snort filter for zone transfers picked up any connections to TCP
port 53 even a query for a MX record?
Am I wrong?
If i'm not mistaken, the request for a zone transfer is made over udp port 53, the actual data transfer is tcp port 53.
In the sig I posted above, notice is says "alert udp". Since the request has to come before the actual transfer ( that is if an actual transfer occurs ), the sig author most likely was trying to trap requests only.
DNS, as far as I know, will only go over TCP for two reasons:
1) Zone Transfer
2) Large DNS response will not fit into 1 65K UDP packet
This signature is looking at UDP but is looking for content 00 00 FC, 14 bytes into the packet, which if I had to make a wild guess without looking, would be what a zone transfer request would look like initially if requested over UDP.