DNS zone transfer attack
DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (which is called a "zone") to another DNS server. It's how you can have more than one DNS server able to answer queries about a particular zone; there is a Master DNS server, and one or more Slave DNS servers, and the slaves ask the master for a copy of the records for that zone.
A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you are a slave and ask the master for a copy of the zone records. And it sends you them; DNS is one of those really old-school Internet protocols that was designed when everyone on the Internet literally knew everyone else's name and address, and so servers trusted each other implicitly.
It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the real data very useful.
So best practice is to restrict Zone transfers. At the bare minimum, you tell the master what the IP addresses of the slaves are and not to transfer to anyone else. In more sophisticated set-ups, you sign the transfers. So the more sophisticated zone transfer attacks try and get round these controls.
SANS have a white paper that discusses this further.
@GrahamHill already explained a zone transfer pretty good already, but I'll try to fill in some more.
By being able to query for all records from the DNS server, the attacker can easily determine which machines are accessible. The zone transfer may reveal network elements that are accessible from the Internet, but that a search engine like Google (site:.target.) does not pick up. Lesson here is that you don't want to let the bad guys have the information for free! They should have to work as hard as possible for it...
An interesting fact about DNS zone transfers is that they usually rely on TCP port 53 instead of UDP port 53. If you see TCP port 53 in use, it could tell you that someone is doing a zone transfer.
To actually complete a zone transfer on a vulnerable DNS server you could issue these commands:
Windows:
nslookup
> server <DNS you are querying>
> set type=any
> ls -d <target>
Unix (nslookup is deprecated on Unix):
dig -axfr @<DNS you are querying> <target>
DigiNinja has a very good tutorial/explanation on how zone transfers work and why they should be restricted. Check out zonetransferme .