Zone transfer using dig

DNS servers usually implement replication (that is, for primary and secondary servers) to improve availability. In order to synchronize the host resolution database from primary to secondary, an operation called zone transfer takes place. The secondary server requests the zone (portion of the domain for which that server is responsible) data from the primary, and this responds with a copy of the database, containing the IP address-hostname pairs that it can resolve.

A misconfiguration in DNS servers allows for anyone to ask for a zone transfer and obtain the full list of resolved hosts of these servers. Using the Domain Internet Groper (dig) command-line tool in Linux, you can try to execute a zone transfer to identify additional hosts in the domain. Zone transfers are done over TCP port 53 and not UDP port 53, which is the standard DNS port.

The dig command-line tool is mainly used for querying DNS servers for hostnames. A simple command such as dig google.com reveals the IP address of the domain and the name of the DNS server that hosts the DNS zone for it (also known as the name server). There are many types of DNS records, such as Mail Exchanger (MX), SRV records, and PTR records. The dig google.com mx command displays information for the MX record.

In addition to the usual DNS tasks, the dig command can also be used to perform a DNS zone transfer.

Let's request a zone transfer to zonetransfer.me, a vulnerable domain made for educational purposes by Robin Wood (DigiNinja). The request is made using the dig command, for the AXFR (zone transfer) register of the zonetransfer.me domain to the nsztm1.digi.ninja server:

$ dig axfr zonetransfer.me @nsztm1.digi.ninja

As shown in the following screenshot, if zone transfer is enabled, the dig tool dumps all of the entries in the zone at Terminal:

Shell commands, such as grep or cut, are very useful for processing the output of command-line tools. In the preceding example, cut is used with a | (pipe) character to show only the first three elements that are separated by a -d " " (space) character from each line of the dig command's results. In this screenshot, the columns are separated by tab characters and information shown in the last column is separated by spaces.

You will often find that even though the primary DNS server blocks the zone transfer, a secondary server for that domain might allow it. The dig google.com NS +noall +answer command will display all of the name servers for that domain.

The attempt to perform a zone transfer from the DNS server of facebook.com failed, as the company have correctly locked down their DNS servers:

Performing a DNS lookup to search for an IP address is passive reconnaissance. However, the moment you do a zone transfer using a tool such as dig or nslookup, it turns into active reconnaissance.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.254.231