As part of reconnaissance Domain Name Service (DNS) servers can provide the bad guys with pertinent data to further their attack. One of the key methods for extracting this information are zone transfers. With just a few quick commands a DNS server will gladly cough up a sensitive list of sub-domains if it isn’t configured correctly.
In the world of DNS “nslookup” and “dig” are the two main tools for interrogating servers. Nslookup is older and a bit more limited but useful in a pinch. Dig, on the other hand, seems to be the goto DNS tool of choice. The example below demonstrates using each of these tools.
First, extract the name servers for the target site. In the commands below we are using Google as an example.
nslookup -type=ns google.comdig ns google.com
Next, choose one of the name servers and attempt to run a zone transfer on it.
nslookup > server ns1.google.com > set type=any > ls -d google.comdig axfr @ns1.google.com google.com
Of course the result for Google should return a “Transfer failed” error … hopefully.
But what if you want to show off and don’t happen to know of a convenient site to demonstrate zone transfers on? That’s where Robin “@DigiNinja” Wood comes in with a very useful resource he setup called ZoneTransfer.me. Just run the above commands against that site to see it in action.