RE: DNS zone transfer

From: Terry Grace (tgraceat_private)
Date: Sun Jun 09 2002 - 19:01:36 PDT

  • Next message: Olaf Kirch: "Re: PGP spoof decrypted output?"

    You missed the point. The original question was how to dump ALL of the
    zones a name server hosts. Answer-not possible except by brute forcing
    all name spaces.
    
    
    -----Original Message-----
    From: Brad Bemis [mailto:bradleybat_private] 
    Sent: Sunday, June 09, 2002 1:45 PM
    To: Vlad; 'Short_Circut'
    Cc: vuln-devat_private
    Subject: RE: DNS zone transfer
    
    
    It looks to me as though they are blocking TCP/53 (note UDP/53 is used
    for queries and TCP/53 is used for the zone transfer).  There could also
    be a split-DNS implementation that hinders your efforts ( restricting
    the number and type of records that you might be able to locate on the
    externally accessible name server)...  They may also have the DNS tree
    set up so that only qualified name servers can conduct zone transfer.
    These are all common best practices when protecting DNS servers.
    
    Have you looked at secondary DNS servers associated with this target?
    Many times, a secondary DNS server is forgotten about...  Since they use
    the simple name structure of ns1.wustl.edu, you could script query
    attempts
    against a range of name servers using an nsx loop...   Read in the
    results
    and if they do not match a zone transfer denial (i.e. "*** Can't list
    domain
    domain.com: Query refused"), you have a target...
    
    Just a few ideas...   There are several more advanced methods that could
    also be used, but they do not involve passive information gathering ;-)
    
    
    
    -----Original Message-----
    From: Vlad [mailto:progmanat_private]
    Sent: Sunday, June 09, 2002 1:02 AM
    To: 'Short_Circut'
    Cc: vuln-devat_private
    Subject: RE: DNS zone transfer
    
    
    First of all thanks for the answer, but I must say that I've already
    tried all that.
    
    Using nslookup returns the following:
    =====================================
    > ls -d domain.com
    [[ns.domain.com]]
    *** Can't list domain domain.com: Query refused
    >
    > domain.com
    domain.com        nameserver = ns.domain.com
    ....		....
    domain.com
            primary name server = ns1.domain.com
            responsible mail addr = p
            serial  = 1234567890
            refresh = 3600 (1 hour)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    ns.domain.com    internet address = x.x.x.x
    =====================================
    The request to enumerate all domain records (first ex.) returns "Query
    refused". A resolve request (second ex.) return what seems like all
    nameserver records for that domain (type = ALL in nslookup).
    
    That's nice but not as important as the other records the server
    contains , they are the ones I'm after.
    
    Suggestions?
    
    
      - Vlad.
    
    
    -----Original Message-----
    From: Short_Circut [mailto:circutat_private]
    Sent: Sunday, June 09, 2002 3:22 AM
    To: Vlad
    Cc: vuln-devat_private
    Subject: Re: DNS zone transfer
    
    
    
    
    > Greetings,
    >
    > Is it possible to remotely retrieve all DNS records from a server
    > *without* knowing the specific zones it hosts?
    > (cause then I can script "dig @dns-server.ip zone-domain ALL" )
    >
    > If it matters the server runs the DNS service on Win2k and I've got no
    
    > preferance for Windows or *NIX tools. Any will do.
    >
    >
    > Thanks,
    >  - Vlad.
    >
    
    try 'host' and nslookup.
    
    host -l wustl.edu
    
    and nslookup
    
    [root@TheSocket - <~> nslookup
    Default Server:  Server.thesocket.net
    Address:  10.0.2.1
    
    > server ns1.wustl.edu
    Default Server:  ns1.wustl.edu
    Address:  128.252.135.4
    
    > ls -d wustl.edu
    
    
    hehehe
    view the nice result
    
    :~Short_Circut~:
    



    This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 11:02:02 PDT