locked
Will the DNS Recon alert be triggered if forwarders are used? RRS feed

  • Question

  • Hello, 

    I setup ATA 1.9 in my dev environment recently.  I'm going through the attack playbook and triggering alerts.

    For the DNS Recon alert that is trigged when an entity attempts to do a zone xfer, would this trigger if the zone xfer request wasn't directly against the domain controller, but instead was against a forwarder?

    We use forwarders in our environment that pass all internal domain queries onto the domain controller.

    I don't have forwarders setup in my DEV environment, so I was just wondering if anybody has done this.

    Thanks!

    Thursday, February 21, 2019 5:15 PM

All replies

  • I am not sure how forwarders look like, but if the AXFR request would eventually end up at the DC, we would still see it, and if the forwarder IP will sppear as the source and we did not "mark" it as a valid DNS server, we would still alert, in this case I am just not sure which IP you will see, the forwarder's IP or the original one.
    Thursday, February 21, 2019 10:06 PM