Server mining is the practice of getting a copy of a complete primary zone by requesting a zone transfer. A hacker pretends to be a secondary zone to another primary zone, and requests a copy of the primary zone’s records.
With a copy of your primary zone, the hacker can see what kinds of services a domain offers and the IP addresses of the servers that offer them. the hacker then tries specific attacks based on those services. This is reconnaissance before another attack.
To defend against this attack, specify which IP addresses have permission to request zone transfers (your secondary zone servers) and deny all others.
Zone transfers are accomplished over TCP on port 53. To limit zone transfers, block zone transfer requests from anyone but your secondary DNS servers.
Create a firewall filter that permits only IP addresses that are inside your firewall to access TCP port 53.
Follow the instructions for configuring firewall rules, using the following settings:
Packet: Allow
Port: 53
Protocol: TCP
Source IP: the IP address of your secondary DNS server
Destination IP: the IP address of your primary DNS server