Good evening, DNS should work both on top of UDP and TCP. TCP is used if the query is too large for a single unfragmented UDP datagram or perhaps if the UDP datagram isn't answered (UDP port 53 firewalled or packet loss, for example). So actually both should work, but most people don't open TCP port 53 in their firewalls, just UDP. Then again, what I recall, most DNS clients use TCP always when doing zone dumps, because the answer is so big. So that might be a reason it doesn't work. AFAIK you should also be capable of doing zone dumps through UDP, so you simply have to hack your own client software to do so, if all of the vanilla clients try TCP. Most likely the DNS server has been configured not to allow zone dumps, or to allow them only to the secondary name servers. If you can eavesdrop the answer, you could spoof to be a secondary name server. Most likely though, you won't be able to eavesdrop between the two, unless you are in the same network as they are. AXFRs and IXFRs are both just special DNS queries, so like I said, they shouldn't be binded to just the TCP transport, UDP should work too. As a clever administrator, you should of course also deny incremental zone transfers (IXFR), not only full zone dumps (AXFR). Just denying "zone dumps" in your basic DNS server should of course restrict both types. I agree with the other posters, as if you are somehow able to dump the whole zone even if both AXFRs and IXFRs are denied, I would think that as information leakage. After all, I do have one thing you might try: dig their IP address space. You should be able to find it from e.g. their WHOIS-records, and then just reverse map all the addresses. After all, most people won't be storing lots of names in the DNS domain that won't belong to their IP address space - why would they have DNS mappings for other people's networks, unless they're operators? If finding their IP address space produces troubles, you can go the easy way and just ask for the mail exchanger and then its IP address or for asking www.domain.com, after which you have one IP address from the IP address space, afterwards which you can start doing reverse DNS queries below and above that address. Once you start getting reverse-mapped addresses to other domains, you know you've hit the upper/lower boundary of their IP addresses. Of course, this won't discover discontiguous IP address spaces. -- Toni Heinonen, Teleware Oy Wireless +358 (40) 836 1815 Telephone +358 (9) 3434 9123 toni.heinonenat_private www.teleware.fi > -----Alkuperäinen viesti----- > Lähettäjä: Maximiliano Perez [mailto:mpat_private] > Lähetetty: 9. kesäkuuta 2002 19:29 > Vastaanottaja: Vlad; 'Short_Circut' > Kopio: vuln-devat_private > Aihe: RE: DNS zone transfer > > > They can restrict it via: > > - Filtering port 53/tcp, try telneting. > - Restricting axfr's in config file. > > I think you should find another way. > > btw i think this is offtopic.
This archive was generated by hypermail 2b30 : Sun Jun 09 2002 - 18:01:33 PDT