• QOMPLX Knowledge
  • Apr 28, 2021
  • By QOMPLX

QOMPLX Knowledge: Detecting Successful Zone Transfer from an Unknown Source

QOMPLX Knowledge: Detecting Successful Zone Transfer from an Unknown Source

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.


The goal of cyber adversaries who compromise an IT environment is to move off of the system that provided an initial foothold and to establish a presence on other, higher value IT assets up to- and including the domain controller. To do that, attackers will try to “footprint” a network. That is: determine what IT assets are deployed in the environment and where. Obtaining a map of IT assets is critical to adversaries’ ability to move laterally within your environment without attracting notice. Identifying and stopping reconnaissance can prevent adversaries from obtaining persistent access to your environment.

In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot one technique for foot-printing target environments: DNS zone transfers.

Key Points:

  • Monitoring for DNS zone transfer requests issued from an unknown or unauthorized source is a useful strategy for spotting efforts by malicious actors to map network environments.
  • Successful zone transfers can provide malicious actors with vital information that can inform later attacks including domain names, computer names, and IP addresses of sensitive network resources.
  • Windows Event ID 6001 (a successful zone transfer was completed) is associated with this activity and should be monitored closely for domain transfers from unauthorized sources.
  • QOMPLX Identity Assurance allows users to monitor for transfer requests from unauthorized sources. (Unauthorized sources might be DNS servers not listed among the name server (NS) resource records in their zones or from other than authorized IP addresses.)

How Zone Transfers Footprinting Works:

The Domain Name System (DNS) provides an invaluable service: translating IP addresses into human-friendly domains. Because DNS is a critical function and requires resilience, organizations typically use both primary and redundant (secondary) DNS servers that can process DNS requests in the event that a server becomes unavailable. Zone transfers are critical to the operation of this network: allowing information on a DNS zone to be shared among a number of redundant, DNS servers.

Those zone files, however, contain a wealth of information about your internal IT environment: the DNS domain names used in the environment as well as the names and IP addresses of IT assets deployed within the environment. That information often reveals the purpose of a specific IT asset and, possibly, its physical location as well.

Attackers can obtain that information through fraudulent zone transfers in which an asset controlled by the attacker issues a zone transfer request. Generally, DNS zone transfers are allowed only between servers listed in the name server (NS) resource record of a zone. DNS configurations can also be secured by limiting DNS zone transfers to specific IP addresses in an environment. However, DNS is a standard that is more than three decades old and that was designed as an open protocol. More lax DNS deployments may allow DNS zones to be transmitted to any requesting server.

QOMPLX Detection:

QOMPLX Identity Assurance (IA) uses windowed detection rules to monitor for Windows Event ID 6001, which indicates a successful zone transfer has completed. The detection can be configured to trigger if the zone transfer came from an unauthorized IP address or server.

Zone transfers represent an easy and quick way for attackers to gather information on your environment. The earlier your organization can detect and respond to early stage malicious activities like suspicious DNS zone transfers, the more likely you are to stop the attacker before damage can be done.

Additional Reading:

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer


Learn More

Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.