To totally unlock this section you need to Log-in
DNS (Domain Name System) is one of the many systems that keeps the Internet humming and is responsible for resolving human-readable hostnames into machine-readable IP addresses. DNS servers host what are known as zones. A DNS zone is a portion of the domain name space that is served by a DNS server, and will contain several DNS records, which are nothing more than key-value pairs of information that will be served to a client depending on the request made to the DNS server.
Since DNS is usually regarded as a critical service for applications to function properly, it’s frequently set-up to be highly-available and possibly even load-balanced. This allows uninterrupted service to clients’ DNS queries if something goes wrong with one DNS server. In order for this setup to work properly, all the DNS servers hosting the same zone must make sure to keep one another updated of any changes – enter DNS zone transfers, or as they are also commonly referred to, AXFR (technically speaking, AXFR refers to the protocol used during a DNS zone transfer).
DNS zone transfers, are one of the many methods available to administrators to replicate DNS databases across a group of DNS servers. While DNS zone transfers are perfectly fine between DNS servers intended to share zones information, they could leak a lot of information that would otherwise not be available to an attacker.
While DNS records are not sensitive individually, if an attacker manages to obtain a copy of the entire DNS zone for a domain (for example by means of an attacker-initiated AXFR request), they may obtain a complete listing of all hosts in that zone.
It’s also worth bearing in mind that it’s not uncommon for a DNS server to span several network segments, possibly giving an attacker insight into other network segments they were unaware of.
Zone transfers synchronize primary and secondary DNS server zones. This is how DNS builds its resilience on the Internet.
DNS zones must remain updated on primary and secondary servers. Discrepancies in primary and secondary zones can cause service outages and host names that resolve incorrectly.
NOTE: usually there is no need to do zone transfer for AD DNS (Active Directory environments). However, if you have created another DNS Zone which is not belong to your AD, then you can transfer this zone to other DNS.
Let start with the first server which is, for example, DC-CLOUD.Windows.ae.
Before we start with the DNS Zone transfer, lets add some information in DNS, for this demo, we will add a new host record in DNS server.
Right click the domain name, in this case Windows.ae, and then click New Host (A or AAAA).
Next, on the New Host box, we enter Server-Exchange2016 under the Name field and then insert the relative IP address in the second field named IP Address.
It should now prompt the host record was successfully created.
Next, right click domain name again to create New mail Exchange (MX) record.
On the New Resource Record box, enter FQDN name for the mail server (Exchange Server) and click OK.
It should now appear in your DNS source list.
Next, still on the DC-CLOUD.Windows.ae server, in the DNS console, right click Reverse Lookup Zone and click New Zone.
NOTE: reverse lookup zone resolves an IP address to a domain name, and hosts start of authority (SOA), name server (NS), and pointer (PTR) resource records.
On the New Zone Wizard, click Next.
On the Zone Type, click Primary Zone and click Next to continue.
On the Active Directory Zone Replication Scope, click on the second check button.
Next on the Reverse Lookup Zone Name box, click IPv4 Reverse Lookup Zone and click Next to continue.
Next on the Reverse Lookup Zone Name, type 712.16 and click Next.
On the Dynamic Update box, click Allow only secure dynamic updates (recommended for Active Directory), then click Next.
Next, click Finish.
Now, let continue installing DNS Services on the SUB-01.Windows.ae (Domain Member Server) which is this server will replicate all the DNS information.
On the SUB-01.Windows.ae server, in the Select server roles list click DNS Server and click Next to proceed.
Then on the Select features page, click Next to proceed, and then again, on the DNS Server page, click Next to proceed.
Next, click Install.
Once the DNS installation is completed, click Close.
Next, lets create secondary zone by using Windows PowerShell. Type the following, for example:
|Add-DnsServerSecondaryZone -Name “Windows.ae” -ZoneFile “Windows.ae.dns” -MasterServers 172.16.1.254|
Next, return to domain server (DC-CLOUD.Windows.ae), and open PowerShell, type this cmdlet to enable zone transfer.
|Set-DnsServerPrimaryZone -Name “Windows.ae” –Notify Notifyservers –notifyservers “172.16.1.240” -SecondaryServers “172.16.1.240” –SecureSecondaries TransferToSecureServers|
Next, still on the DC-CLOUD.Windows.ae Domain server, open DNS console to refresh the information then right click domain name (Windows.ae) then click Properties.
On the Windows.ae properties box, click Zone Transfer tab and then verify the IP address and server FQDN. then click Notify.
Next, on the Notify box, verify that SUB-01 IP Address has been validated and click Cancel.
Next, let’s configure Aging/Scavenging for All our existing Zones, right click Server Name (DC-CLOUD.Windows.ae) and click Set Aging/Scavenging for All Zones.
On the Server Aging/Scavenging Properties, click Scavenge stale resource records box and click OK to proceed.
Next, in the Server Aging/Scavenging Confirmation box, click Apply these settings to the existing Active Directory–integrated zones and then click OK.
Our final step, let’s verify that our both Domain Server & member server should replicate the DNS resource record.