← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:10595 · CWE-200

DNS Server Zone Transfer Information Disclosure

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is leaving the building directory at reception, not leaving the vault door open

Plugin tenable:10595 is not a software bug or patchable CVE; it detects an *authoritative DNS server* that will answer a full zone transfer (AXFR) to the scanner's source IP. That can expose the zone's DNS records in bulk, including A, MX, NS, and sometimes internal-looking hostnames, mail routes, VPN names, backup systems, and delegated subzones. Affected scope is version-agnostic: *any* DNS product is in scope if it is configured to permit AXFR too broadly, including Windows DNS and BIND.

Tenable calling this MEDIUM is defensible in the abstract, but for enterprise patch triage it is usually a notch too hot. The decisive friction is that this is *information disclosure only* with no code execution, no auth bypass, and no persistence; plus many findings are only reachable from an internal scanner, which means the attacker is already on-net. I would downgrade to LOW by default, while explicitly fast-tracking any case where an *internet-facing authoritative zone* is leaking sensitive records to arbitrary clients.

"AXFR is cheap recon, not a breach by itself; downgrade unless your public authoritative DNS is dumping sensitive records."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Identify an authoritative target with dig or host

The attacker first determines the domain's authoritative name servers and picks one to test. Commodity tooling is enough: dig NS example.com, host -t ns example.com, or standard DNS recon modules. This is unauthenticated and low-noise.
Conditions required:
  • Attacker can resolve or otherwise learn the target zone name
  • Authoritative DNS service is reachable from the attacker's network position
Where this breaks in practice:
  • If the DNS service is internal-only, this already implies post-initial-access
  • Hidden or split-horizon DNS reduces what an external actor can even find to test
Detection/coverage: DNS asset inventory and external attack-surface tools can identify authoritative servers; vulnerability scanners typically test AXFR directly once they see TCP/53.
STEP 02

Attempt full zone transfer with dig AXFR or Nmap NSE

The attacker sends an AXFR request over TCP/53 using dig axfr, host -l, or Nmap's dns-zone-transfer.nse. If the server ACL allows the requestor, the server streams the zone contents back in full. This step is trivial to weaponize and requires no exploit development.
Conditions required:
  • TCP/53 is reachable to the authoritative server
  • Zone transfer ACL permits the attacker's IP, directly or via an overly broad rule like 'any'
Where this breaks in practice:
  • Modern BIND defaults disable outgoing transfers unless allow-transfer is explicitly set
  • Windows DNS commonly restricts transfers to listed name servers or specific IPs
  • Firewalls often block TCP/53 from untrusted networks even when UDP/53 is open
Detection/coverage: Very strong validation coverage: active probes with dig, host, and Nmap are deterministic. Passive monitoring can catch unusual AXFR requests on TCP/53 if DNS logs are enabled.
STEP 03

Harvest records and map the environment

A successful AXFR gives the attacker a structured inventory of the zone: hosts, mail infrastructure, delegations, service names, and sometimes naming conventions that reveal business units or environments. This materially improves phishing target selection, password-spray scoping, VPN discovery, and follow-on scanning.
Conditions required:
  • The transferred zone contains useful records beyond public web and mail hosts
Where this breaks in practice:
  • Well-run environments keep private names in internal zones rather than public authoritative zones
  • Sparse public zones may reveal little beyond already enumerable internet assets
Detection/coverage: No special scanner needed after exfiltration; the operator can review the returned records directly. SIEM value comes from correlating unexpected AXFRs with unusual source IPs.
STEP 04

Convert recon into a second-stage intrusion

The attacker still needs a separate exploit or credential path to turn the leaked DNS data into real compromise. Typical follow-on tools are password-spraying frameworks, phishing kits, or service-specific exploit scanners aimed at the newly discovered assets. This is where most real-world defensive controls finally engage.
Conditions required:
  • Leaked records expose reachable services or high-value naming hints
  • A second-stage weakness exists elsewhere in the environment
Where this breaks in practice:
  • MFA, EDR, email security, WAFs, and segmentation break the chain after recon
  • The zone dump alone does not grant execution, authentication, or privilege
Detection/coverage: Attackers often become visible only in the second stage. Treat AXFR as early recon telemetry, not as proof of imminent compromise.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo CISA KEV entry or CVE-centered campaign tracking applies here; this is a longstanding recon technique rather than a named software exploit.
Proof-of-concept availabilityCommodity-grade and built-in: dig axfr, host -l, and Nmap NSE dns-zone-transfer. No exploit kit or shellcode needed.
EPSSNot applicable. There is no CVE, so there is no FIRST EPSS probability record.
KEV statusNot applicable. This issue is not a CVE and is not represented in the KEV catalog.
CVSS interpretationNo canonical CVSS exists for the configuration issue. In practice it behaves like network-reachable, no-auth info disclosure, but impact is limited because it does not itself produce execution or privilege.
Affected scopeAny authoritative DNS server that allows AXFR to the requestor: Windows DNS, BIND, and others. This is configuration-dependent, not version-dependent.
Fixed stateThere is no patched version. Current Microsoft guidance is to restrict transfers to name-server-listed or specific servers; current BIND docs state the default, if unspecified, is allow-transfer none.
Exposure and scanning realityInternet-wide DNS datasets like Censys Active DNS map domain-to-infrastructure relationships, but they do not reliably tell you whether AXFR is allowed. You need an active AXFR probe to know.
Disclosure / detection timelineTenable plugin 10595 is a longstanding detection. The current Tenable changelog shows version 1.39 updated on 2025-08-19.
Protocol / researcherAXFR is standardized in RFC 5936. Detection logic here is operationally from Tenable, not from a vendor security advisory for a software flaw.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.6/10)

The single biggest downward pressure is that this finding is recon only: the attacker gets names and records, not execution, auth, or privilege. In many enterprise scans the reachable population is also narrowed by reality—internal DNS, restricted TCP/53, and transfer ACLs mean the finding often assumes the attacker is already inside.

HIGH Technical assessment that successful AXFR is real and trivially testable
MEDIUM Default severity downgrade without knowing whether the exposed zone is public or internal

Why this verdict

  • Baseline starts at Medium because AXFR is unauthenticated, remotely testable, and can dump a whole zone in one request if misconfigured.
  • Downgrade for impact type because the result is information disclosure, not code execution, auth bypass, privilege escalation, or service takeover.
  • Downgrade for exposure friction because only authoritative servers that both answer TCP/53 and explicitly permit transfer to the requestor are affected; that sharply narrows the reachable population in mature deployments.
  • Keep it above IGNORE because a leaked zone can materially accelerate phishing, password spray, perimeter mapping, and lateral movement by exposing hostnames and service layout.

Why not higher?

There is no direct system compromise here. Even a complete zone dump still requires a separate second-stage path—credential abuse, another vulnerability, or social engineering—to create real business impact.

Why not lower?

If the affected server is a public authoritative DNS host and it will transfer to arbitrary internet clients, exploitation is immediate and anonymous. That kind of bulk reconnaissance leak is still a real weakness, especially when the zone contains admin, mail, VPN, backup, or environment-identifying records.

05 · Compensating Control

What to do — in priority order.

  1. Restrict AXFR to explicit secondaries — Allow zone transfers only to the exact secondary servers that need them, using name-server-listed or IP-specific ACLs and TSIG where supported. For a LOW verdict there is no SLA (treat as backlog hygiene), but if this is a public authoritative zone leaking meaningful records, do not leave it for a generic backlog window.
  2. Block untrusted TCP/53 paths — Enforce firewall rules so only legitimate secondaries can reach TCP/53 on authoritative servers. This removes the most practical remote path because AXFR runs over TCP; for LOW, treat as backlog hygiene unless external exposure makes the risk concrete.
  3. Separate public and private DNS — Keep internal hostnames and service names out of public authoritative zones through split-horizon DNS or separate private zones. This reduces the value of any accidental transfer and is worth doing even when the transfer is already restricted.
  4. Log and alert on AXFR attempts — Enable authoritative DNS logging for transfer requests and alert on unexpected client IPs, especially internet sources or non-secondary hosts. This is cheap detection depth and can be implemented during normal operations with no formal LOW mitigation SLA.
What doesn't work
  • Disabling recursion does not stop AXFR; recursion and zone transfer are different controls.
  • DNSSEC does not hide zone contents; signed records are still records, and AXFR can still disclose the zone if allowed.
  • Blocking only UDP/53 does not help; AXFR is a TCP-based transfer.
  • Relying on obscurity in host naming does not fix the issue; the server will still hand over the data set if transfer is allowed.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or scanner host that can reach the target authoritative DNS server on TCP/53. Invoke it as ./check-axfr.sh example.com 192.0.2.53; no privileges are required, but dig must be installed and the result is only valid from the network location where you run it.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-axfr.sh
# Usage: ./check-axfr.sh <zone> <dns_server>
# Exit codes:
#   0 = VULNERABLE (AXFR succeeded)
#   1 = PATCHED (AXFR refused / not allowed)
#   2 = UNKNOWN (connectivity / tooling / ambiguous result)
#   3 = USAGE ERROR

set -u

ZONE="${1:-}"
SERVER="${2:-}"
TIMEOUT=5
TRIES=1

if [[ -z "$ZONE" || -z "$SERVER" ]]; then
  echo "UNKNOWN - usage: $0 <zone> <dns_server>" >&2
  exit 3
fi

if ! command -v dig >/dev/null 2>&1; then
  echo "UNKNOWN - 'dig' not found in PATH"
  exit 2
fi

# First, confirm the server appears authoritative / reachable for the zone.
SOA_OUT=$(dig +time=${TIMEOUT} +tries=${TRIES} +tcp @"$SERVER" "$ZONE" SOA +noall +answer +comments 2>&1)
SOA_RC=$?

if [[ $SOA_RC -ne 0 ]]; then
  echo "UNKNOWN - SOA query failed to execute against $SERVER for $ZONE"
  exit 2
fi

if ! grep -Eq "\sSOA\s" <<< "$SOA_OUT"; then
  # If there is no SOA answer, the server may not be authoritative, may be filtered,
  # or the zone argument may be wrong. Do not call it patched.
  echo "UNKNOWN - no SOA answer from $SERVER for $ZONE"
  exit 2
fi

# Attempt AXFR over TCP. Successful transfers typically end with 'XFR size:' and include records.
AXFR_OUT=$(dig +time=${TIMEOUT} +tries=${TRIES} +tcp @"$SERVER" "$ZONE" AXFR 2>&1)
AXFR_RC=$?

if [[ $AXFR_RC -ne 0 ]]; then
  echo "UNKNOWN - AXFR command failed to execute"
  exit 2
fi

# Successful AXFR indicators.
if grep -q "XFR size:" <<< "$AXFR_OUT" && ! grep -Eqi "Transfer failed|connection timed out|communications error|no servers could be reached" <<< "$AXFR_OUT"; then
  echo "VULNERABLE"
  exit 0
fi

# Common denied / safe indicators.
if grep -Eqi "Transfer failed|REFUSED|NOTAUTH|NOTIMP|connection reset|connection refused" <<< "$AXFR_OUT"; then
  echo "PATCHED"
  exit 1
fi

# Timeouts and network failures are ambiguous from this vantage point.
if grep -Eqi "timed out|no servers could be reached|communications error|network is unreachable|host unreachable" <<< "$AXFR_OUT"; then
  echo "UNKNOWN"
  exit 2
fi

# Fallback: if we did not see an explicit success marker, do not overstate.
echo "UNKNOWN"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat plugin 10595 as LOW by default and validate whether each finding is on a public authoritative DNS server or only reachable from inside. For this severity there is no noisgate mitigation SLA and noisgate remediation SLA is no SLA (treat as backlog hygiene), so there is no formal mitigation deadline—go fix it in normal DNS change management; however, if an internet-facing zone is actually dumping sensitive records, override the generic backlog posture and close the exposure in the next available change window rather than letting it sit for months.

Sources

  1. Tenable Nessus Plugin 10595 Changelog
  2. Microsoft Learn - DNS zones in DNS Server on Windows Server
  3. Microsoft Learn - Manage DNS zones using DNS server in Windows Server
  4. ISC BIND 9 Configuration Reference - allow-transfer
  5. Nmap NSE - dns-zone-transfer
  6. RFC 5936 - DNS Zone Transfer Protocol (AXFR)
  7. NIST SP 800-81-2 Secure DNS Deployment Guide
  8. Censys Active DNS Documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.