If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a ‘bad actor’ DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.
Let’s say you’re Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we’re skipping caching & non-authoritative answers for brevity):
You type “lemmy.world” into your browser
Your computer initiates a stub resolution for lemmy.world. (the trailing dot here isn’t a period. It’s the “true” FQDN)
Computer looks at hosts file and doesn’t see anything
DNS packets are sent to your configured DNS server. If you don’t have one configured, DHCP already configured it for you
Your DNS server performs a recursive search for world by asking the root zone where the “world” Name Serer is
root zone resolves world as:
world. 3600 IN NS v0n0.nic.world.
world. 3600 IN NS v0n1.nic.world.
world. 3600 IN NS v0n2.nic.world.
world. 3600 IN NS v0n3.nic.world.
world. 3600 IN NS v2n0.nic.world.
world. 3600 IN NS v2n1.nic.world.
Your DNS server reaches out to one of those Name Server’s (That’s what the NS record is for) and asks it where “lemmy” is
world Name Server responds with:
lemmy.world. 300 IN A 172.67.218.212
lemmy.world. 300 IN A 104.21.53.208
Your DNS server contacts your computer and serves it those IP addresses. (A record’s are domain name to IP Address)
Now lets say there’s a DNS spoof attack:
Before the “world” server can get back to your DNS server, the hackers server interjects with it’s own authoritative claim that lemmy is here:
lemmy.world. 300 IN A [attack site IP]
Your DNS server contacts your computer and serves it that IP address. Your computer then contacts the attack site and you get a virus.
Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility for a hacker of a zone transfer?
If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a ‘bad actor’ DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.
Let’s say you’re Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we’re skipping caching & non-authoritative answers for brevity):
world. 3600 IN NS v0n0.nic.world.
world. 3600 IN NS v0n1.nic.world.
world. 3600 IN NS v0n2.nic.world.
world. 3600 IN NS v0n3.nic.world.
world. 3600 IN NS v2n0.nic.world.
world. 3600 IN NS v2n1.nic.world.
lemmy.world. 300 IN A 172.67.218.212
lemmy.world. 300 IN A 104.21.53.208
Now lets say there’s a DNS spoof attack:
lemmy.world. 300 IN A [attack site IP]