Most of the firewalls today are actually doing a rather good job. Unfortunately (well this depends on the point of view) some firewall administrators are not. But they should not get all the blame. It might also be that other administrators did not secure there servers, e.g. guys responsible for DNS.

So here is something I need reminding of from time to time.

DNS outbound is most of the time enabled through the firewall but just for UDP. So but by default, if you want to test for a zone transfer, you need TCP to be enabled. Does this mean that zone transfers are not possible because the DNS server is secured or because the firewall blocked you?

Well basically you would try something like this during an assessment:

dig @nameserver.domain domain axfr

So let us go change this a little bit by using an extra flag so that we might be able to do a zone transfer via UDP:

dig @nameserver.domain domain axfr +notcp

There is only one little further thing we might need to think about. So when the request would result in a big reply the DNS server would switch back to TCP. And we would be where we started.

So but maybe we could do something to reduce the packet, something like an incremental zone transfer:

dig @nameserver.domain domain ixfr=serialnumber +notcp

Ok the problem would be the serial number. You would need to send an older version to the server and see that it replies with difference between the old version and the new one. This might result in quite a view requests. But it might not be that bad as the structure is always the same: date+time and you need to do an educated guess how often there will be updates…