StackShield

DNS Reconnaissance

Medium

Comprehensive DNS enumeration and zone transfer testing using DNSRecon.

Estimated fix time: 30-45 minutes

What is DNS Reconnaissance?

DNSRecon performs comprehensive DNS enumeration including zone transfers, reverse lookups, SRV record enumeration, and subdomain brute forcing. This information helps attackers map your infrastructure and identify potential targets.

Security Impact

Severity: Medium

  • Complete zone data exposure through zone transfers
  • Internal infrastructure mapping
  • Subdomain discovery leading to forgotten or vulnerable services
  • Email server identification for targeted phishing
  • Service discovery through SRV records

How to Fix

1. Disable Zone Transfers

Zone transfers should only be allowed to authorised secondary DNS servers:

; BIND - named.conf
zone "yourdomain.com" {
    type master;
    file "yourdomain.com.zone";
    allow-transfer { 10.0.0.2; };  // Only allow to secondary DNS
};

If using a managed DNS provider (Cloudflare, Route53, etc.), zone transfers are typically disabled by default.

2. Minimise DNS Information Disclosure

Remove unnecessary DNS records:

; Remove internal hostnames from public DNS
; Don't publish records like:
;   internal.yourdomain.com
;   staging.yourdomain.com
;   dev.yourdomain.com
;   db.yourdomain.com
;   admin.yourdomain.com

3. Implement DNSSEC

DNSSEC prevents DNS spoofing and cache poisoning:

# If using Cloudflare, enable DNSSEC in the dashboard
# For BIND:
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE yourdomain.com
dnssec-signzone -o yourdomain.com yourdomain.com.zone

4. Use Split-Horizon DNS

Keep internal DNS records separate from public ones:

; Public view
view "external" {
    match-clients { any; };
    zone "yourdomain.com" {
        type master;
        file "yourdomain.com.external.zone";
    };
};

; Internal view
view "internal" {
    match-clients { 10.0.0.0/8; };
    zone "yourdomain.com" {
        type master;
        file "yourdomain.com.internal.zone";
    };
};

5. Monitor DNS Records

Regularly audit your DNS records and remove stale entries:

# List all DNS records
dig yourdomain.com ANY +noall +answer

# Check for zone transfer vulnerability
dig axfr yourdomain.com @ns1.yourdomain.com
# Should return "Transfer failed" or "connection refused"

Verification

After applying fixes, DNSRecon should not be able to perform zone transfers. The number of discoverable records should be minimal, limited to publicly necessary entries.

  • DNS Security
  • Subdomain Discovery
  • Subdomain Takeover

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Subdomain Takeover

Detects unclaimed subdomains pointing to external services.

Medium

DNS Security

Checks DNS configuration and security settings.

Medium

Subdomain Discovery

DNS reconnaissance and subdomain discovery using Fierce.

Medium