Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / DNS

Zone Transfer

This note documents detection patterns related to DNS Zone Transfer within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
DNS Server Log6001Zone transfer requestedCriticalExternal host requested full DNS zone transfer.
DNS Server Log6002Zone transfer completedCriticalEntire DNS zone transferred to remote host.
Security4624Successful logonMediumAuthentication associated with DNS administration activity.
Sysmon3Network connectionHighConnection from external host requesting DNS zone data.
Firewall LogsN/ALarge DNS responsesHighLarge DNS packets associated with zone transfers.
Network IDSN/AAXFR request detectedCriticalNetwork-based detection of zone transfer attempt.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Large DNS responsesDNS responses significantly larger than typical queriesHighTypical during AXFR transfers.
DNS queries for zone transfer typeAXFR or IXFR queriesCriticalDirect indicator of zone transfer attempt.
DNS server responding to unknown hostTransfer allowed to unauthorized systemCriticalPossible misconfiguration exploitation.
Multiple DNS records retrievedBulk DNS records transferredHighTypical enumeration behavior.
External reconnaissance activityDNS enumeration following zone transferMediumAttackers mapping internal network.

Common Tools

ToolUsage
digPerforms DNS zone transfer requests using AXFR query.
nslookupCan request zone transfers if permitted.
dnsreconAutomates DNS enumeration including zone transfers.
fiercePerforms DNS reconnaissance.
Nmap NSE scriptsDNS enumeration including zone transfer checks.

Relevant Artifacts

  • DNS server logs
  • Firewall logs showing DNS traffic
  • Network IDS alerts for AXFR queries
  • Sysmon logs (3 network connections)
  • EDR telemetry identifying DNS reconnaissance tools
  • DNS query logs
  • Packet captures showing zone transfer traffic
  • SIEM correlation alerts

MITRE ATT&CK References

  • T1046 Network Service Discovery
  • T1595 Active Scanning
  • T1590 Gather Victim Network Information

Decision Tree

  1. Is the suspicious event present?
    • Identify AXFR or IXFR DNS queries.
  2. What host generated the request?
    • Determine source IP requesting zone transfer.
  3. Is the host authorized for zone transfers?
    • Check DNS server zone transfer configuration.
  4. Pivot:
    • Source host → investigate reconnaissance tools.
    • DNS logs → determine records retrieved.
    • Network traffic → inspect additional enumeration activity.
  5. Confirm exploitation
    • Determine whether attacker successfully retrieved full DNS zone data.

Example Detection Templates

KQL

DnsEvents
| where QueryType in ("AXFR","IXFR")

DeviceNetworkEvents
| where RemotePort == 53
| summarize count() by RemoteIP, bin(TimeGenerated,5m)

EQL

any where dns.question.type in ("AXFR","IXFR")

Sigma

title: DNS Zone Transfer Attempt
id: dns-zone-transfer-detection
status: experimental
description: Detects DNS zone transfer attempts using AXFR or IXFR queries
logsource:
  product: network
detection:
  selection:
    QueryType:
      - AXFR
      - IXFR
  condition: selection
fields:
  - src_ip
  - dns_query
falsepositives:
  - Legitimate zone replication between DNS servers
level: medium
tags:
  - attack.discovery

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
DNS configurationRestrict zone transfers to authorized serversCriticalPrevents unauthorized enumeration.
Firewall rulesBlock AXFR requests from external hostsHighLimits exposure.
MonitoringAlert on zone transfer requestsHighDetects reconnaissance activity.
Network segmentationIsolate DNS infrastructureMediumReduces attack surface.
Threat huntingReview DNS logs for large responsesMediumIdentifies potential enumeration.