Rule: -- Sid: 255 -- Summary: This event is generated when an attempt is made to request a zone transfer from a DNS Server -- Impact: Information disclosure. -- Detailed Information: DNS Zone transfers are normally used between DNS Servers to replicate zone information. Zone transfers can also be used to gain information about a network. -- Affected Systems: All DNS Servers -- Attack Scenarios: A malicious user may request a Zone Transfer to gather information before commencing an attack. This can give the user a list of hosts to target. -- Ease of Attack: Simple. -- False Positives: DNS Zone transfers may be part of normal traffic for DNS servers. -- False Negatives: None known -- Corrective Action: Configure the DNS servers to only allow zone transfers from authorised hosts, limit the information available from publicly acessible DNS server by using Split Horizon DNS or separate DNS Servers for internal networks. -- Contributors: Original rule writer unknown Original document author unkown Sourcefire Vulnerability Research Team Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --
