Query Details

DNS Zone Transfer (AXFR/IXFR) from Unauthorized Internal Host

05 DNS Zone Transfer AXFR

Query

// Populate with IPs of authorized secondary/slave DNS servers to exclude
// legitimate zone replication traffic and avoid duplicating the built-in rule.
let AuthorizedSecondaryDNS = dynamic([]);
// Example: dynamic(["10.1.0.53", "10.2.0.53", "192.168.10.5"])
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName in~ ("AXFR", "IXFR")
      or DnsQueryType in (252, 251)
| where SrcIpAddr !in (AuthorizedSecondaryDNS)
| summarize
    TransferAttempts = count(),
    TargetZones      = make_set(DnsQuery),
    TargetServers    = make_set(DstIpAddr),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SrcIpAddr, SrcHostname

Explanation

This query is designed to detect unauthorized DNS zone transfer requests, which are attempts to copy DNS records from a DNS server. These requests can be either full transfers (AXFR) or incremental transfers (IXFR). The query specifically looks for such requests originating from internal hosts that are not on a predefined list of authorized secondary DNS servers. This helps to identify potentially malicious activities while ignoring legitimate DNS replication traffic.

Here's a simple breakdown of the query:

  • Purpose: To detect unauthorized DNS zone transfer requests from internal hosts.
  • How it works:
    • It checks DNS activity logs for AXFR or IXFR requests within the last hour.
    • It excludes requests from IP addresses listed as authorized secondary DNS servers.
    • It counts the number of transfer attempts and identifies the targeted DNS zones and servers.
  • Output:
    • The query summarizes the number of transfer attempts, the zones targeted, and the servers involved, along with timestamps of the first and last detected attempts.
  • Alerting:
    • If any unauthorized requests are detected, it generates an alert with details about the source host and the targeted DNS zones.
  • Severity: Medium, indicating a moderate level of concern.
  • Customization: Users can populate the list of authorized secondary DNS servers to tailor the detection to their network environment.

This query helps in identifying potential reconnaissance activities by attackers trying to gather information about the internal network through DNS zone transfers.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsZoneTransferAxfrIxfrHostIpAddressHostnameDnsQueryDnsQueryTypeNameDnsQueryTypeSrcIpAddrDstIpAddrTimeGeneratedTransferAttemptsTargetZonesTargetServersFirstSeenLastSeen

Operators

letdynamicagoin~in!insummarizecountmake_setminmaxby

Severity

Medium

Tactics

Reconnaissance

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub