Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DNS zone transfer

From: "Terry Grace" <tgrace () tgrace com>
Date: Sun, 9 Jun 2002 22:01:36 -0400
You missed the point. The original question was how to dump ALL of the
zones a name server hosts. Answer-not possible except by brute forcing
all name spaces.


-----Original Message-----
From: Brad Bemis [mailto:bradleyb () bigfoot com] 
Sent: Sunday, June 09, 2002 1:45 PM
To: Vlad; 'Short_Circut'
Cc: vuln-dev () securityfocus com
Subject: RE: DNS zone transfer


It looks to me as though they are blocking TCP/53 (note UDP/53 is used
for queries and TCP/53 is used for the zone transfer).  There could also
be a split-DNS implementation that hinders your efforts ( restricting
the number and type of records that you might be able to locate on the
externally accessible name server)...  They may also have the DNS tree
set up so that only qualified name servers can conduct zone transfer.
These are all common best practices when protecting DNS servers.

Have you looked at secondary DNS servers associated with this target?
Many times, a secondary DNS server is forgotten about...  Since they use
the simple name structure of ns1.wustl.edu, you could script query
attempts
against a range of name servers using an nsx loop...   Read in the
results
and if they do not match a zone transfer denial (i.e. "*** Can't list
domain
domain.com: Query refused"), you have a target...

Just a few ideas...   There are several more advanced methods that could
also be used, but they do not involve passive information gathering ;-)



-----Original Message-----
From: Vlad [mailto:progman () netvision net il]
Sent: Sunday, June 09, 2002 1:02 AM
To: 'Short_Circut'
Cc: vuln-dev () securityfocus com
Subject: RE: DNS zone transfer


First of all thanks for the answer, but I must say that I've already
tried all that.

Using nslookup returns the following:
=====================================

ls -d domain.com

[[ns.domain.com]]
*** Can't list domain domain.com: Query refused


domain.com

domain.com        nameserver = ns.domain.com
....            ....
domain.com
        primary name server = ns1.domain.com
        responsible mail addr = p
        serial  = 1234567890
        refresh = 3600 (1 hour)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
ns.domain.com    internet address = x.x.x.x
=====================================
The request to enumerate all domain records (first ex.) returns "Query
refused". A resolve request (second ex.) return what seems like all
nameserver records for that domain (type = ALL in nslookup).

That's nice but not as important as the other records the server
contains , they are the ones I'm after.

Suggestions?


  - Vlad.


-----Original Message-----
From: Short_Circut [mailto:circut () TheSocket remoteserver org]
Sent: Sunday, June 09, 2002 3:22 AM
To: Vlad
Cc: vuln-dev () securityfocus com
Subject: Re: DNS zone transfer





Greetings,

Is it possible to remotely retrieve all DNS records from a server
*without* knowing the specific zones it hosts?
(cause then I can script "dig @dns-server.ip zone-domain ALL" )

If it matters the server runs the DNS service on Win2k and I've got no



preferance for Windows or *NIX tools. Any will do.


Thanks,
 - Vlad.



try 'host' and nslookup.

host -l wustl.edu

and nslookup

[root@TheSocket - <~> nslookup
Default Server:  Server.thesocket.net
Address:  10.0.2.1


server ns1.wustl.edu

Default Server:  ns1.wustl.edu
Address:  128.252.135.4


ls -d wustl.edu



hehehe
view the nice result

:~Short_Circut~:
Previous By Date Next
Previous By Thread Next

Current thread: