Zone transfer – What is it, and why should you restrict it?

Zone transfer explained

Zone transfer is a fundamental process that serves for making a copy of the DNS data (DNS records) for a domain name from its Primary DNS zone to the Secondary DNS zones. The main advantage of such action is to make several copies of the collection of DNS records in more than one name server. Thanks to this approach, your domain name is going to have better availability. 

Another important thing we should note is that even if a particular name server is not working for some reason (for example, maintenance, DDoS attack), your website won’t be affected. It will continue to be accessible and reachable for your visitors.

In case you are managing a website with a global presence, and you want to improve the speed of DNS resolution, you should consider performing a zone transfer to several Secondary DNS zones. That way, you are going to place your DNS data (DNS records) in more than one Point of Presence (PoP).

Types of zone transfer

Here are the two main types of zone transfer that could be completed between the name servers:

  • Full zone transfer, which is also called for short AXFR. – When you use this type, you are going to duplicate the entire collection of DNS records available for a domain name from the Primary name server to the Secondary name servers. It is commonly used when you are deploying a new name server, and it does not contain any previous data for your domain. Another popular scenario in which you could use it is when you haven’t updated the information in the Secondary name servers for a long period of time. That way, you are going to ensure that the DNS data is up to date.
  • Incremental zone transfer, which is also called for short IXFR. – When you use this type, you are going to update just the DNS records that are newly changed (deleted, created, adjusted) from your Primary name server to your Secondary name servers. It is a great opportunity to reduce the bandwidth and only duplicate the new information, not the complete zone file. In case you have set up all of your Secondary name servers, it is the more useful and practical way to duplicate DNS data. 

Why should you restrict it?

Zone transfer is highly beneficial for DNS administrators, yet the cybercriminals could obtain all of the sensitive DNS data and take advantage of it. They can easily achieve that by completing an AXFR request. For that reason, it is best if you restrict who can initiate the zone transfer and limit only to the trusted DNS servers.

You or your DNS administrator can simply do this by whitelisting the IP addresses of the Secondary DNS servers that are allowed to make AXFR queries. Another way to prevent the vulnerability of zone transfers is by using Transaction SIGnatures (TSIG).

It is in your best interest not to allow everybody on the Internet to have free access to all of your DNS records.

Author: Dominic

Leave a Reply

Your email address will not be published.