Why does DNS Reconnaissance matter for Laravel security?

Failing to address dns reconnaissance can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a DNS Reconnaissance issue?

This is rated as an medium fix, typically taking 30-45 minutes. See the full documentation above for step-by-step instructions.

How to Secure DNS Against Reconnaissance Attacks

What This Check Detects

Comprehensive DNS enumeration and zone transfer testing using DNSRecon.

Full Documentation

What is DNS Reconnaissance?

DNSRecon performs comprehensive DNS enumeration including zone transfers, reverse lookups, SRV record enumeration, and subdomain brute forcing. This information helps attackers map your infrastructure and identify potential targets.

Security Impact

Severity: Medium

Complete zone data exposure through zone transfers
Internal infrastructure mapping
Subdomain discovery leading to forgotten or vulnerable services
Email server identification for targeted phishing
Service discovery through SRV records

How to Fix

1. Disable Zone Transfers

Zone transfers should only be allowed to authorised secondary DNS servers:

; BIND - named.conf
zone "yourdomain.com" {
    type master;
    file "yourdomain.com.zone";
    allow-transfer { 10.0.0.2; };  // Only allow to secondary DNS
};

If using a managed DNS provider (Cloudflare, Route53, etc.), zone transfers are typically disabled by default.

2. Minimise DNS Information Disclosure

Remove unnecessary DNS records:

; Remove internal hostnames from public DNS
; Don't publish records like:
;   internal.yourdomain.com
;   staging.yourdomain.com
;   dev.yourdomain.com
;   db.yourdomain.com
;   admin.yourdomain.com

3. Implement DNSSEC

DNSSEC prevents DNS spoofing and cache poisoning:

# If using Cloudflare, enable DNSSEC in the dashboard
# For BIND:
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE yourdomain.com
dnssec-signzone -o yourdomain.com yourdomain.com.zone

4. Use Split-Horizon DNS

Keep internal DNS records separate from public ones:

; Public view
view "external" {
    match-clients { any; };
    zone "yourdomain.com" {
        type master;
        file "yourdomain.com.external.zone";
    };
};

; Internal view
view "internal" {
    match-clients { 10.0.0.0/8; };
    zone "yourdomain.com" {
        type master;
        file "yourdomain.com.internal.zone";
    };
};

5. Monitor DNS Records

Regularly audit your DNS records and remove stale entries:

# List all DNS records
dig yourdomain.com ANY +noall +answer

# Check for zone transfer vulnerability
dig axfr yourdomain.com @ns1.yourdomain.com
# Should return "Transfer failed" or "connection refused"

Verification

After applying fixes, DNSRecon should not be able to perform zone transfers. The number of discoverable records should be minimal, limited to publicly necessary entries.

Related Issues

DNS Security
Subdomain Discovery
Subdomain Takeover