Vulnerability Development mailing list archives
RE: DNS zone transfer
From: "Brad Bemis" <bradleyb () bigfoot com>
Date: Sun, 9 Jun 2002 10:45:18 -0700
It looks to me as though they are blocking TCP/53 (note UDP/53 is used for queries and TCP/53 is used for the zone transfer). There could also be a split-DNS implementation that hinders your efforts ( restricting the number and type of records that you might be able to locate on the externally accessible name server)... They may also have the DNS tree set up so that only qualified name servers can conduct zone transfer. These are all common best practices when protecting DNS servers. Have you looked at secondary DNS servers associated with this target? Many times, a secondary DNS server is forgotten about... Since they use the simple name structure of ns1.wustl.edu, you could script query attempts against a range of name servers using an nsx loop... Read in the results and if they do not match a zone transfer denial (i.e. "*** Can't list domain domain.com: Query refused"), you have a target... Just a few ideas... There are several more advanced methods that could also be used, but they do not involve passive information gathering ;-) -----Original Message----- From: Vlad [mailto:progman () netvision net il] Sent: Sunday, June 09, 2002 1:02 AM To: 'Short_Circut' Cc: vuln-dev () securityfocus com Subject: RE: DNS zone transfer First of all thanks for the answer, but I must say that I've already tried all that. Using nslookup returns the following: =====================================
ls -d domain.com
[[ns.domain.com]] *** Can't list domain domain.com: Query refused
domain.com
domain.com nameserver = ns.domain.com .... .... domain.com primary name server = ns1.domain.com responsible mail addr = p serial = 1234567890 refresh = 3600 (1 hour) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) ns.domain.com internet address = x.x.x.x ===================================== The request to enumerate all domain records (first ex.) returns "Query refused". A resolve request (second ex.) return what seems like all nameserver records for that domain (type = ALL in nslookup). That's nice but not as important as the other records the server contains , they are the ones I'm after. Suggestions? - Vlad. -----Original Message----- From: Short_Circut [mailto:circut () TheSocket remoteserver org] Sent: Sunday, June 09, 2002 3:22 AM To: Vlad Cc: vuln-dev () securityfocus com Subject: Re: DNS zone transfer
Greetings, Is it possible to remotely retrieve all DNS records from a server *without* knowing the specific zones it hosts? (cause then I can script "dig @dns-server.ip zone-domain ALL" ) If it matters the server runs the DNS service on Win2k and I've got no preferance for Windows or *NIX tools. Any will do. Thanks, - Vlad.
try 'host' and nslookup. host -l wustl.edu and nslookup [root@TheSocket - <~> nslookup Default Server: Server.thesocket.net Address: 10.0.2.1
server ns1.wustl.edu
Default Server: ns1.wustl.edu Address: 128.252.135.4
ls -d wustl.edu
hehehe view the nice result :~Short_Circut~:
Current thread:
- DNS zone transfer Vlad (Jun 08)
- Re: DNS zone transfer Short_Circut (Jun 08)
- RE: DNS zone transfer Vlad (Jun 09)
- RE: DNS zone transfer Maximiliano Perez (Jun 09)
- RE: DNS zone transfer David Schwartz (Jun 09)
- Re: DNS zone transfer Ed Schmollinger (Jun 10)
- RE: DNS zone transfer Maximiliano Perez (Jun 10)
- Re: DNS zone transfer Deus, Attonbitus (Jun 10)
- Re: DNS zone transfer Frank Knobbe (Jun 11)
- RE: DNS zone transfer Vlad (Jun 09)
- Re: DNS zone transfer Short_Circut (Jun 08)
- RE: DNS zone transfer Brad Bemis (Jun 09)
- Re: DNS zone transfer Olaf Kirch (Jun 10)
- RE: DNS zone transfer Terry Grace (Jun 10)
- Re: DNS zone transfer Edwin Groothuis (Jun 10)
- Re: DNS zone transfer Jefferson Ogata (Jun 11)
- <Possible follow-ups>
- RE: DNS zone transfer David Schwartz (Jun 09)
- Re: DNS zone transfer Blue Boar (Jun 10)