Doing a DNS zone transfer

This article shows how you can perform a DNS zone transfer using nslookup on Windows and using dig on Linux.

From Wikipedia, the free encyclopedia ( http://en.wikipedia.org/wiki/Zone_transfer ):
DNS zone transfer, also sometimes known by its (most common) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now falling by the wayside somewhat, in favor of the use of other database replication mechanisms that modern DNS server packages provide.

The data contained in an entire DNS zone may be sensitive in nature. Individually, DNS records are not sensitive, but if a malicious entity obtains a copy of the entire DNS zone for a domain, they may have a complete listing of all hosts in that domain. That makes the job of a computer hacker much easier. A computer hacker needs no special tools or access to obtain a complete DNS zone if the name server is promiscuous and allows anyone to do a zone transfer.

Using the nslookup utility that is contained in Windows, a DNS zone transfer can be easily tried out. All you need to do is enter the target DNS server and the domain you want to interrogate:
server ns.example.com (the target DNS server)
set type=any (to get all types of DNS records)
ls -d example.com (do the actual transfer)

Using the dig utility in Linux, a DNS zone transfer is even more trivial to perform:
dig example.com axfr

When a DNS zone transfer is allowed, you should get a complete listing of all DNS entries that have been made in the DNS server for this domain. If the DNS server doesn't allow it, you will get an error indicating that the Zone transfer didn't work.

An example:

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Lode>nslookup
Default Server:  asse.dnscache01.telenet-ops.be
Address:  195.130.130.1

> server ns1.baddns.com
Default Server:  ns1.baddns.com
Address:  xxx.xxx.xxx.xxx

> set type=any
> ls -d example.com
[ns1.baddns.com]
 example.com.              SOA    ns1.baddns.com logs.baddns.com. (2008102800 14400 7200 3600000 86400)
 example.com.              MX     0    example.com
 example.com.              NS     ns1.baddns.com
 example.com.              NS     ns2.baddns.com
 example.com.              A      yyy.yyy.yyy.yyy
 cpanel                    A      yyy.yyy.yyy.yyy
 ftp                       A      yyy.yyy.yyy.yyy
 localhost                 A      127.0.0.1
 mail                      CNAME  example.com
 webdisk                   A      yyy.yyy.yyy.yyy
 webmail                   A      yyy.yyy.yyy.yyy
 whm                       A      yyy.yyy.yyy.yyy
 www                       CNAME  example.com
 example.com.              SOA    ns1.baddns.com logs.baddns.com. (2008102800 14400 7200 3600000 86400)
> quit

C:\Users\Lode>

You can also use the following one-liner directly on your bash shell:


#!/bin/bash
# You need to have dnsutils installed
DOMAIN="YOURDOMAIN.TLD"
dig NS $DOMAIN +short | sed -e "s/\.$//g" | while read nameserver; do echo "Testing $DOMAIN @ $nameserver"; dig AXFR $DOMAIN "@$nameserver"; done

If you don’t want to use the shell, you can use the following website: http://checkdnspropagation.com/axfr/

If you get the following output for all nameservers then you’re safe.

; Transfer failed.

Otherwise you’re probably running a misconfigured server.

References:

Tags: 

Share