RE: DNS zone transfer

["David LaPorte" <david_laporte () harvard edu>]

Sorry to post late - I've been on vacation and I didn't see a solution
posted in the thread.

DNS/BIND has no built-in mechanism to enumerate domains on a nameserver, but
it is fairly straight-forward to do with whois if the domains are registered
with network solutions (and some other registrar that supports HOST and
SERVER lookups).

Execute a domain query.
Locate the first DNS server.
Execute a whois query on that DNS server:
whois "HOST 10.10.10.1"@whois.networksolutions.com
Locate the HST record for the DNS server.
Execute a whois query with the server directive using whois and the
respective HST record:
whois "SERVER NS9999-HST"@whois.networksolutions.com

The above is from Hacking Exposed.  fatbrain.com was kind enough to publish
the entire chapter :)
http://www.osborne.com/fatbrain/series/networking/security/hack3e_ch01.html

This isn't fail-proof, but this is the only way I know of to get the info
you're looking for.

David

-----Original Message-----
From: Vlad [mailto:progman () netvision net il]
Sent: Saturday, June 08, 2002 10:01 AM
To: vuln-dev () securityfocus com
Subject: DNS zone transfer


Greetings,

Is it possible to remotely retrieve all DNS records from a server
*without* knowing the specific zones it hosts?
(cause then I can script "dig @dns-server.ip zone-domain ALL" )

If it matters the server runs the DNS service on Win2k and I've got no
preferance for Windows or *NIX tools. Any will do.


Thanks,
 - Vlad.