RE: DNS zone transfer

From: Brad Bemis (bradleybat_private)
Date: Sun Jun 09 2002 - 10:45:18 PDT

  • Next message: ash: "RE: Phone Switches + telephone banking etc"

    It looks to me as though they are blocking TCP/53 (note UDP/53 is used for
    queries and TCP/53 is used for the zone transfer).  There could also be a
    split-DNS implementation that hinders your efforts ( restricting the number
    and type of records that you might be able to locate on the externally
    accessible name server)...  They may also have the DNS tree set up so that
    only qualified name servers can conduct zone transfer.  These are all common
    best practices when protecting DNS servers.
    
    Have you looked at secondary DNS servers associated with this target?  Many
    times, a secondary DNS server is forgotten about...  Since they use the
    simple name structure of ns1.wustl.edu, you could script query attempts
    against a range of name servers using an nsx loop...   Read in the results
    and if they do not match a zone transfer denial (i.e. "*** Can't list domain
    domain.com: Query refused"), you have a target...
    
    Just a few ideas...   There are several more advanced methods that could
    also be used, but they do not involve passive information gathering ;-)
    
    
    
    -----Original Message-----
    From: Vlad [mailto:progmanat_private]
    Sent: Sunday, June 09, 2002 1:02 AM
    To: 'Short_Circut'
    Cc: vuln-devat_private
    Subject: RE: DNS zone transfer
    
    
    First of all thanks for the answer, but I must say that I've already
    tried all that.
    
    Using nslookup returns the following:
    =====================================
    > ls -d domain.com
    [[ns.domain.com]]
    *** Can't list domain domain.com: Query refused
    >
    > domain.com
    domain.com        nameserver = ns.domain.com
    ....		....
    domain.com
            primary name server = ns1.domain.com
            responsible mail addr = p
            serial  = 1234567890
            refresh = 3600 (1 hour)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    ns.domain.com    internet address = x.x.x.x
    =====================================
    The request to enumerate all domain records (first ex.) returns "Query
    refused".
    A resolve request (second ex.) return what seems like all nameserver
    records for that domain (type = ALL in nslookup).
    
    That's nice but not as important as the other records the server
    contains , they are the ones I'm after.
    
    Suggestions?
    
    
      - Vlad.
    
    
    -----Original Message-----
    From: Short_Circut [mailto:circutat_private]
    Sent: Sunday, June 09, 2002 3:22 AM
    To: Vlad
    Cc: vuln-devat_private
    Subject: Re: DNS zone transfer
    
    
    
    
    > Greetings,
    >
    > Is it possible to remotely retrieve all DNS records from a server
    > *without* knowing the specific zones it hosts?
    > (cause then I can script "dig @dns-server.ip zone-domain ALL" )
    >
    > If it matters the server runs the DNS service on Win2k and I've got no
    > preferance for Windows or *NIX tools. Any will do.
    >
    >
    > Thanks,
    >  - Vlad.
    >
    
    try 'host' and nslookup.
    
    host -l wustl.edu
    
    and nslookup
    
    [root@TheSocket - <~> nslookup
    Default Server:  Server.thesocket.net
    Address:  10.0.2.1
    
    > server ns1.wustl.edu
    Default Server:  ns1.wustl.edu
    Address:  128.252.135.4
    
    > ls -d wustl.edu
    
    
    hehehe
    view the nice result
    
    :~Short_Circut~:
    



    This archive was generated by hypermail 2b30 : Sun Jun 09 2002 - 18:03:51 PDT