Results 1 to 6 of 6

Thread: DNS Zone Transfer

  1. #1

    DNS Zone Transfer

    If someone tries to do a DNS zone transfer, would it trigger an IDS (if one is installed)?
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Depends on if you configured your IDS to look for it or not. All signature based IDS systems run policies that are essentially lists of enabled/disabled signatures, so if you are looking for it, the answer would be maybe There could be other things like packet fragmentation, load on the IDS, the speed of the connection, etc that can all have an effect on whether or not an IDS detects the traffic.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    Snort has an active sig to detect zone transfers out of the box.

    alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  4. #4
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    I thought The snort filter for zone transfers picked up any connections to TCP
    port 53 even a query for a MX record?

    Am I wrong?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  5. #5
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    If i'm not mistaken, the request for a zone transfer is made over udp port 53, the actual data transfer is tcp port 53.

    In the sig I posted above, notice is says "alert udp". Since the request has to come before the actual transfer ( that is if an actual transfer occurs ), the sig author most likely was trying to trap requests only.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    DNS, as far as I know, will only go over TCP for two reasons:
    1) Zone Transfer
    2) Large DNS response will not fit into 1 65K UDP packet

    This signature is looking at UDP but is looking for content 00 00 FC, 14 bytes into the packet, which if I had to make a wild guess without looking, would be what a zone transfer request would look like initially if requested over UDP.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •