Sorry to post late - I've been on vacation and I didn't see a solution posted in the thread. DNS/BIND has no built-in mechanism to enumerate domains on a nameserver, but it is fairly straight-forward to do with whois if the domains are registered with network solutions (and some other registrar that supports HOST and SERVER lookups). Execute a domain query. Locate the first DNS server. Execute a whois query on that DNS server: whois "HOST 10.10.10.1"@whois.networksolutions.com Locate the HST record for the DNS server. Execute a whois query with the server directive using whois and the respective HST record: whois "SERVER NS9999-HST"@whois.networksolutions.com The above is from Hacking Exposed. fatbrain.com was kind enough to publish the entire chapter :) http://www.osborne.com/fatbrain/series/networking/security/hack3e_ch01.html This isn't fail-proof, but this is the only way I know of to get the info you're looking for. David -----Original Message----- From: Vlad [mailto:progmanat_private] Sent: Saturday, June 08, 2002 10:01 AM To: vuln-devat_private Subject: DNS zone transfer Greetings, Is it possible to remotely retrieve all DNS records from a server *without* knowing the specific zones it hosts? (cause then I can script "dig @dns-server.ip zone-domain ALL" ) If it matters the server runs the DNS service on Win2k and I've got no preferance for Windows or *NIX tools. Any will do. Thanks, - Vlad.
This archive was generated by hypermail 2b30 : Sun Jun 16 2002 - 23:11:48 PDT