Detections
Analytics

DNS Enumeration

low

Language:

Description

DNS zone transfer is a legitimate feature to replicate a DNS zone from a primary DNS server to a secondary one, using the AXFR query type. However, attackers often abuse this mechanism during the reconnaissance phase in order to retrieve all DNS records, providing them valuable information for attacking the environment. In particular, a successful DNS zone transfer can give an attacker useful information about the computers listed in the DNS zone, how to access them and also guessing their roles. Note that failed zone transfer (ex. not having the necessary rights, zone transfer not configured on the server, etc.) are also detected.

See Also

DNS Logging and Diagnostics

DNS zone transfer

Indicator Details

Name: DNS Enumeration

Codename: I-DnsEnumeration

Severity: Low

MITRE ATT&CK Information:
ID: T1046
Sub-technique of: T1046
Tactic: TA0007