PROTOCOL-DNS -- Snort alerted on a Domain Name Server (DNS) protocol issue. These packets travel over UDP on port 53 to serve DNS queries--user website requests through a browser. Several vulnerability use-cases exist (ie, additional data could be sent with a request, which would contact a DNS server pre-prepared to send information back and forth).
PROTOCOL-DNS dns zone transfer via UDP detected
A zone transfer of records on the DNS server has been requested. A successful zone transfer can give valuable reconnaissance about hostnames and IP addresses for the domain. Impact: Information leak, reconnaissance. A malicious user can gain valuable information about the network. Details: Zone transfers are normally used to replicate zone information between master and slave DNS servers. If zone transfers have not been restricted to authorized slave servers only, malicious users can attempt them for reconnaissance about the network. The content |00 00 FC| looks for the end of a DNS query and a DNS type of 252 meaning a DNS zone transfer. Ease of Attack: Simple to perform using tools such as nslookup, dig, and host.
No information provided
No public information
Known false positives, with the described conditions
Legitimate zone transfers from authorized slave servers may cause this False positives may arise from TSIG DNS traffic. If all of your slave servers are in your $HOME_NET and you do not support TSIG, the likelihood of false positives should be very low.
Cisco Talos Intelligence Group
No rule groups
CVE-1999-0532 |
Loading description
|