The remote DNS server responds to queries for third-party domains that do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.
Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.
Contact the vendor of the DNS software for a fix.
Perform name lookups with a wordlist (dictionary attack) to identify services/hosts/websites in the target domain. Only applicable if Check for DNS zone transfer failed.
Obtain valid server names and aliases for the IP addresses in the defined scope of the test.
Only applicable if Check for DNS zone transfer failed.
Test if the authoritative nameservers are allowing zone transfers for the domains in scope.
Check if the DNS servers are vulnerable to version queries.
Analyze the reported version for vulnerabilities and available exploits.
List the authoritative name server for the target domain(s).