Jump to content

DNS zone transfer

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by HeiseUK (talk | contribs) at 14:05, 17 February 2008 (updated links to heise Security). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.


DNS zone transfer, also sometimes known by its (most common) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now falling by the wayside somewhat, in favor of the use of other database replication mechanisms that modern DNS server packages provide.

Operation

Zone transfer operates on top of the Transmission Control Protocol (TCP), and takes the form of a client-server transaction. The parties involved in a zone transfer are a client (the "slave" requesting the data from a portion of the database to be transferred to it) and a server (the "master" supplying those data from its database). Some sources refer to the slave as a "secondary" server and the master as a "primary" server. The portion of the database that is replicated is a "zone".

Zone transfer comprises a preamble followed by the actual data transfer. The preamble comprises a lookup of the SOA (Start of Authority) resource record for the "zone apex", the node of the DNS namespace that is at the top of the "zone". The fields of this SOA resource record, in particular the "serial number", determine whether the actual data transfer need occur at all. The client compares the serial number of the SOA resource record with the serial number in the last copy of that resource record that it has. If the serial numbers differ, the data in the zone are deemed to have "changed" (in some fashion) and the slave proceeds to request the actual zone data transfer. If the serial numbers are identical, the data in the zone are deemed not to have "changed", and the client may continue to use the copy of the database that it already has, if it has one.

The actual data transfer proper begins by the client sending a query with the special opcode AXFR (value 252) over the TCP connection to the server. The server responds with a series of response messages, comprising all of the resource records for every domain name in the "zone". The first response comprises the SOA resource record for the zone apex. The other data follow in no specified order. The end of the data is signalled by the server repeating the response containing the SOA resource record for the zone apex.

Some zone transfer clients perform the SOA lookup of the preamble using their system's normal DNS query resolution mechanism. These clients do not open a TCP connection to the server until they have determined that they need to perform the actual data transfer. However, since TCP can be used for normal DNS transactions, as well as for zone transfer, other zone transfer clients perform the SOA lookup preamble over the same TCP connection as they then (may) perform the actual data transfer. These clients open the TCP connection to the server before they even perform the preamble.

The preceding describes full zone transfer. Incremental zone transfer differs from full zone transfer in the following respects:

  • The client uses the special opcode IXFR (value 251) instead of the AXFR opcode.
  • The client sends the SOA resource record for the zone apex that it currently has, if any, in the IXFR message, letting the server know which version of the "zone" it believes to be current.
  • Though the server may respond in the normal AXFR manner with the full data for the zone, it may also instead respond with an "incremental" data transfer. This latter comprises the list of changes to the zone data, in zone serial number order, between the version of the zone that the client reported to the server as having and the version of the zone that is current at the server. The changes comprise two lists, one of resource records that are deleted and one of resource records that are inserted. (A modification to a resource record is represented as a deletion followed by an insertion.)

Zone transfer is entirely client-initiated. Though servers can send a NOTIFY message to clients (that they have been informed about) whenever a change to the zone data have been made, the scheduling of zone transfers is entirely under the control of the clients. Clients schedule zone transfers initially, when their databases are empty, and thereafter at regular intervals, in a pattern controlled by the values in the "refresh", "retry", and "expire" fields in the SOA resource record of the zone apex.

Limitations

Though it is standardized, full zone transfer being described as one of the possible database replication mechanisms in RFC 1034 (with incremental zone transfer described in RFC 1995), zone transfer is the most limited of those database replication mechanisms. This is largely due to a mismatch of database schemata. Zone transfer operates in terms of "wire format" resource records, i.e. resource records as they are transferred using the DNS protocol via TCP and UDP. However, the schema of wire format resource records rarely matches the database schemata used by the back ends of the DNS servers themselves. It is thus impossible to fully replicate the actual database contents using zone transfer as the replication mechanism.

For modern DNS server packages, it is almost never the case that the database schemata actually used by the servers match that of zone transfer. Microsoft's DNS server has timestamp and security information fields in resource records that zone transfer is incapable of transferring. djbdns has time-to-die and location information fields in resource records that zone transfer is incapable of transferring. Even ISC's BIND has information in its back end database, such as the $GENERATE directive, that is impossible to directly transfer using zone transfer.

Operational problems

There are several interoperability and operational problems that occur with zone transfer.

Serial number changes

The preamble portion of zone transfer relies on the serial number, and only the serial number, to determine whether a zone's data have changed, and thus the actual data transfer is required. For some DNS server packages, the serial numbers of SOA resource records are maintained by administrators by hand. Every edit to the database involves making two changes, one to the record being changed and the other to the zone serial number. This is a laborious process and one that is prone to error, with administrators either forgetting to change a serial number or changing a serial number incorrectly (such as decreasing it or increasing it by a huge amount).

Some DNS server packages have overcome this problem by automatically constructing the serial number from the last modification timestamp of the database file on disc. This is the case for djbdns, for example. The operating system ensures that the last modification timestamp is updated whenever an administrator edits the database file, effectively automatically updating the serial number, and thus relieving administrators of the need to make two edits (in two different places) for every single change.

Furthermore, the paradigm of database replication for which the serial number check (and indeed zone transfer itself) is designed, which involves a single central DNS server holding the master version of the database with all other DNS servers merely holding copies, simply does not match that of many modern DNS server packages. Modern DNS server packages with sophisticated database back ends such as SQL servers and Active Directory allow administrators to make updates to the database in multiple places (such systems employ Multi-master replication), with the database back end's own replication mechanism handling the replication to all other servers. This paradigm simply does not match that of a single, central, monotonically increasing number to record changes, and thus is incompatible with zone transfer to a large extent. Modern DNS server packages with sophisticated database back ends often will create a "shim" serial number, simulating the existence of a single central place where updates are made, but this is at best imperfect.

Fortunately, for this and several reasons outlined later, DNS servers that use such sophisticated database back ends in general rarely use zone transfer as their database replication mechanism in the first place, and usually instead employ the vastly superior distributed database replication mechanisms that the back ends themselves provide.

Serial number comparisons

Not all clients perform the serial number check, in the preamble, in the same way. Some clients check merely that the serial number supplied by the server is different to that known by the client, or non-zero. Other clients check that the serial number supplied by the server is within a given range of the serial number already known by the client. Yet other clients still perform the latter check and additionally check that the serial number supplied by the server is zero.

Multiple resource records

Originally, in the actual data transfer each set of resource records for a single domain name and type was transferred in a separate response message from the server to the client. However, this is inefficient, and some DNS server software took to implementing optimizations, geared at allowing the response compression mechanism in the DNS protocol to reduce the total bandwidth requirements of data transfers, such as:

  • performing "additional section processing" to include any "glue" resource record sets in the same response as an NS, SRV, or MX resource record set
  • collecting all of the resource record sets relating to a single domain name together and sending them, if they fit, in a single response

Some clients were written to expect only the original response format, and would fail to perform data transfer if such optimizations were employed. Several DNS server packages thus have a configuration setting allowing administrators to specify the use of "single answer format" responses for those clients that require it.

Security

DNS zone transfers have several potential security issues, though they are easily rectified by proper configuration of the DNS software.

Exposure of Data

The data contained in an entire DNS zone may be sensitive in nature. Individually, DNS records are not sensitive, but if a malicious entity obtains a copy of the entire DNS zone for a domain, they may have a complete listing of all hosts in that domain. That makes the job of a computer hacker much easier. A computer hacker needs no special tools or access to obtain a complete DNS zone if the name server is promiscuous and allows anyone to do a zone transfer.

Of course DNS zone transfers are a necessary and critical aspect of how DNS works, and can not be turned off completely. But DNS zone transfers should only be allowed between DNS servers and clients that actually need it. Typically, only inter-dependent DNS servers will need to do zone transfers. An additional layer of protection with zone transfers can be obtained by implementing DNS keys and even encrypted DNS payloads.

As with all Information Technology security, there is no perfect solution. But implementing multiple security configurations increases the protection of a system.

In 2008 a court in North Dakota, USA, ruled that performing a zone transfer as an unauthorised outsider to obtain information that was not publicly accessible constitutes trespass under U.S. law.

Denial of Service

If a malicious entity is able to perform a DNS zone transfer they can launch a Denial of Service attack against that zone's DNS servers by bogging them down with many multiple requests. Not only can the name servers be made slow and unresponsive, in some cases this can lock-out the ability to do legitimate DNS updates by keeping the DNS servers database backend in a "write lock" mode.

However, this is largely fixed by limiting access to do DNS zone transfers. Malicious entities can still pepper DNS servers with bogus requests, but that is not a security issue unique to DNS and has to be handled at a lower level of the OSI model.

References

  • "How the AXFR protocol works". Internet publication, D. J. Bernstein. {{cite web}}: Unknown parameter |accessmonthday= ignored (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)
  • "Understanding zones and zone transfer". Microsoft Windows Server 2003 product documentation. {{cite web}}: Unknown parameter |accessmonthday= ignored (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)
  • "DNS zone replication in Active Directory". Microsoft Windows Server 2003 product documentation. {{cite web}}: Unknown parameter |accessmonthday= ignored (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)
  • "Active Directory integration". Microsoft Windows Server 2003 product documentation. {{cite web}}: Unknown parameter |accessmonthday= ignored (help); Unknown parameter |accessyear= ignored (|access-date= suggested) (help)