We have already covered the bases of DNS, so you know what it is and how does it work. This article will help you understand one of the concepts inside the DNS – zone transfer.
It is a process of sharing DNS records, the whole zone file, or only the most recent DNS records. In order to explain it, let’s first see what a zone file is.
DNS zone and DNS zone files
The DNS zones are a part of the DNS that can be administrated through an authoritative DNS server. The whole DNS is organized with a hierarchical structure – root level, TLD, domain name, subdomain, etc. There are different levels that can be managed independently. The purpose of the division is exactly to facilitate the administration of the DNS. DNS zones allow exactly this, to manage a partition of the domain namespace. The DNS administrator of a higher level needs to delegate a Master DNS zone to another administrator, so he or she can manage a lower level zone. The DNS zones have zone files that define them.
Zone files are simple text files with DNS records. A zone file will contain the whole information for a domain:
- SOA record, which indicates the start of authority.
- A records for IPv4 addresses.
- AAAA records for IPv6 addresses.
- CNAME records for canonical records that indicate the canonical domain.
- MX records for the receiving email servers for the domain.
- TXT records for various verification methods
- SRV records for services.
- PTR for a reverse DNS lookup.
- And more.
What is DNS Master Zone
The DNS Master Zone (also known as DNS Primary Zone) is the part of the namespace to which you have the control to add and remove DNS records, and that way, you can manage your domain name. Each host (part of the domain) that you can manage needs a DNS Master Zone so that you can administrate it, and also, you can have just one per host.
It hosts your zone file, which is the text document that contains all the DNS records for your domain name/host.
The DNS Master Zone permits read and write. It is located inside a Master authoritative nameserver.
For better security, availability, and redundancy in general, you will need DNS Slave Zones (DNS Secondary Zones) inside Slave DNS servers (Secondary DNS). The Slave Zones are read-only copies of the original Master Zone.
DNS Zone transfer
In DNS, you can copy data from the Master DNS zone to the Secondary DNS zones through a process called DNS Zone transfer. There are two types of zone transfer:
- Full zone transfer (AXFR) – a complete zone transfer, where the Secondary DNS servers copy the whole zone file.
- Partial zone transfer (IXFR) – In this case, the Secondary servers will check all the new changes that happened since their last update (deleted and added DNS records) and get only them.
To function correctly, the system needs to keep been updated. That could happen in two ways:
- Push – The Master DNS server can propagate a zone transfer to the Secondary DNS servers.
- Pull – The Secondary DNS server can check for changes inside the Master zone, and if they find any differences by comparing the SOA records, they can start a zone transfer.
You can do it manually with the Dig command (if you have permission) or automatically if you have set it before. It is very important who can perform zone transfer and how. A good practice is to use the Whitelisting technique for your Secondary DNS servers. That way, only their IP addresses will be inside a whitelist, and only they can get access to the zone file and the new DNS changes.
Allowing everybody to be able to perform zone transfer can be a huge risk. It can show to the person who is performing it, the whole zone file, and there can be DNS records that are only for internal use.
AXFR zone transfer (Full zone transfer)
AXFR zone transfers are the full DNS zone transfers of all DNS data. The Primary DNS server sends the whole zone file that contains all the DNS records to the Secondary DNS servers. This assures that the secondary DNS server is well synced. It will have all the latest changes that were made to the Master DNS zone.
You will use full DNS zone transfer when:
- You are adding new Secondary DNS servers. They will be empty, and that way, you can directly add all of the records at the same time.
- You want to be sure that all of the Secondary DNS servers are up to date. If you have some DNS servers that, for some reason, were out of sync, this is an easy way to do it.
People often prefer IXFR zone transfers over AXFR transfers because they don’t take so much bandwidth. Fewer data travels, and fewer resources are used.
IXFR zone transfer (Partial zone transfer)
IXFR zone transfer is just a partial zone transfer that involves transferring only the newest changes from the Master DNS server to the Secondary DNS servers.
The incremental transfers IXFR are not complete transfers. They don’t copy the whole zone file.They are ideal when you have added or deleted just a few new A records, for example, and you don’t want to push a heavy AXFR transfer.
When we are talking about partial zone transfer, the SOA record plays a big part. The Secondary DNS servers will periodically check the SOA record of the Master DNS server, and if its number is higher, they will ask for the changes since they were last updated. The same record will also provide a refresh rate that will show how often the Secondary servers should check for changes and retry rate if the procedure fails.
The Master DNS server also can directly tell the Secondary DNS servers that there were new changes with a notification called DNS NOTIFY. This can trigger an IXFR zone transfer.
The advantage of the partial DNS zone transfer is that it uses far fewer resources because only the new changes will be updated.
Why Is DNS Zone Transfer Needed?
DNS Zone Transfer is needed to:
- Set up newly added Secondary DNS servers. They need to get the DNS records from the Primary because they will be empty at first.
- The zone file at each DNS server needs to be up to date. If the data inside a Secondary DNS server is too old, it won’t be valid anymore and will be deleted. This will leave the network with one less DNS server that could answer queries.
- Old DNS data could stop services from working. If there were changes made in the Primary DNS server, but the changes were not propagated, the Secondary DNS server might have A records, leading to old IP addresses that are no longer in use.
- Manually editing DNS records at each DNS server is time-consuming and could be an impossible task if there are many DNS records and many DNS servers.
Transferring a DNS zone using Dig
You can perform a full DNS zone transfer using the popular Dig command. You can go ahead and try it with zonetransfer.me. and its nameserver. It is a website created for testing. Later you can try with yours.
Follow these steps:
- Open the Terminal application on your Linux computer.
- Type “dig zonetransfer.me -t ns”. In the answer section, you will see the nameservers for the domain name. We will use one of them for our next dig command, the @nsztm1.digi.ninja.
- Now type “ dig axfr zonetransfer.me @nsztm1.digi.ninja.”. Wait a few seconds, and you will see all the DNS records – SOA, TXT, A, AAAA, MX, NS, etc.
Zone transfers and hackers’ attacks
Hackers can obtain the zone file by performing an AXFR request. You can prevent this if you allow just trusted DNS servers to perform AXFR queries. You can use Whitelisting to add the IP addresses of the allowed DNS servers that can perform DNS zone transfer.
A good way to perform Secure zone transfers is to use DNS Transaction Signatures – TSIG. It is a way to secure the communication between two points using symmetric encryption (hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512).
Inside the zone file, there are DNS records that can be for inside use only. You can imagine that this kind of information could be dangerous in the hands f a cyber-criminal.
DNS zone transfer is the method of sharing DNS records from the Primary DNS server to the Secondary DNS servers. If you create a new DNS zone, you will need to perform an AXFR zone transfer. If you already have set up all the DNS zones and you just make changes to the primary DNS zone, then it will be an IXFR zone transfer.