UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store
 

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
Sponsored Links
Latest Postings
The History Thread...
by Gremelin
09/18/14 12:42 PM
Doom 3
by Cyrez
09/11/14 11:58 PM
Latest Reviews
Topic Options
Rate This Topic
#3473 - 03/22/03 03:23 PM DNS system and Zone Transfers (Informative article)
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
once upon a time (not very long ago), a person asked on this board if there was a way to find all the hosts associated with a domain.

Ex. yahoo.com
mail.yahoo.com
clubs.yahoo.com
store.yahoo.com

Being the resident DNS tinkerer, I assured him that there was nothing in the DNS protocol that would allow him to view such a thing. I am happy to announce that I was wrong - dead wrong.

First, I need to explain a few basics on how domain information is stored. The owners of yahoo.com enlisted the use of a DNS server. Inside of this special computer is stored all kinds of information about yahoo.com. It knows what IP's are associated with yahoo.com. It knows what the mail servers are called and their IP's. Basically every domain and every piece of information about that domain is stored in a single (or group) of DNS servers.

Well, it's an easy thing for a person to ask a DNS server what the IP is belonging to a certain domain. But it is not so easy to just tell a server to give up everything it knows on yahoo.com and all related domains.

however, how is one DNS server supposed to learn anything from another? How does these servers update each other on domain information?

Zone transfers (AXFR)

Now, the administrators of DNS servers are not supposed to allow just anybody to request entire zones from them. They should have a list of friendly DNS server IP's stored so that if somebody requests a zone transfer - it must be one of their friends. However, it is not all that uncommon to find DNS servers that DO allow just ANYBODY to request an entire zone!

So how do you do it? Well, you need to use a program which supports zone transfers. Now I'd just love to point you to my very own DNS lookup program, but I'm not quite finished adding the zone transfer feature, so nslookup which comes with windows (2K/XP anyway) is your second best bet.

first, we need an unsecured DNS server. I'll be nice and give ya one - ns2.secure.net.

at the command-line type this:
C:\>nslookup - ns2.secure.net

Now we're in interactive mode with nslookup and may request whatever we want of the server we specified above. First, we need to say what type of request this is going to be...

>set type=axfr

After typing the above, nslookup is ready to make a zone transfer request. Now we need to tell it the zone we want to request. "secure.net" is a good guess considering that's the root of the server domain. It may have other zones too, just for FYI. Type this into the the prompt...

>ls -d secure.net

oh my, after typing the above we are FLOODED with information. 64 different records are stored under the "secure.net" zone. Here's some sample output from my unreleased version DNS Lookup:

Code:
- Record Name               Type     Data

  secure.net                NS       ns1.secure.net
  secure.net                NS       ns2.secure.net
  secure.net                MX       10 - mail.secure.net
  secure.net                A        161.58.2.116
  sl102.secure.net          A        192.41.0.102
  smtp.secure.net           CNAME    mail.net
  localhost.secure.net      A        127.0.0.1
there you have the first 7 records. The first two records are located under the secure.net domain. They're your DNS servers. We've just finished talking to one of them. It also tells us the smtp server name (MX). There's also some other hosts. I have no idea what sl102 is, but I know it's IP address! Also, I see a domain called smtp.secure.net. The CNAME means that the domain is pointing to another domain. Also, there's a host called localhost which is only valid on their internal network.

Ok, that's the way it works. Now to put it to practical matters. First we have a domain... yahoo.com. Let's see if we can get a zone transfer about it. First we need the DNS server that stores yahoo.com's information:

first we execute nslookup:
C:\>nslookup

then we make a request to find it's DNS server
>set type=ns

now we say which domain we are querying
>yahoo.com

part of our results:
Code:
Non-authoritative answer:
yahoo.com       nameserver = ns1.yahoo.com
yahoo.com       nameserver = ns5.yahoo.com
yahoo.com       nameserver = ns2.yahoo.com
yahoo.com       nameserver = ns3.yahoo.com
yahoo.com       nameserver = ns4.yahoo.com
we've got 5 servers to choose from. let's try each one until we find a unsecured server...

first set the type
> set type=axfr

change server to be queried
> server ns1.yahoo.com
make request
> yahoo.com
*** ns1.yahoo.com can't find yahoo.com: Query refused

if failed, change server
> server ns2.yahoo.com
> yahoo.com
*** ns2.yahoo.com can't find yahoo.com: Query refused

failed again *sigh* try some more
> server ns3.yahoo.com
> yahoo.com
*** ns3.yahoo.com can't find yahoo.com: Query refused

yahoo sucks. 2 more left
> server ns4.yahoo.com
> yahoo.com
*** ns4.yahoo.com can't find yahoo.com: Query refused

last chance!
> server ns5.yahoo.com
> yahoo.com
*** ns5.yahoo.com can't find yahoo.com: Query refused

oh well, yahoo is pretty good about their security. Maybe you should pick on smaller targets.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
Sponsored Links
      
#3474 - 03/22/03 04:13 PM Re: DNS system and Zone Transfers (Informative article)
pergesu Offline
UGN Elite Poster

Registered: 03/14/02
Posts: 1136
Loc: Pimpin the Colorizzle
For anyone that's using linux with a recent version of nslookup, it won't work. The ls command isn't implemented, and nslookup isn't the preferred method. I've never done this before, but I decided to see if I'm able to with the tools that I have. I found that indeed I can

host -l host server

so in this example, I had:
Code:
host -l secure.net ns2.secure.net
Gives the same info as nslookup in Windows.

Code:
[pergesu@baggio pergesu]$ host -l secure.net ns2.secure.net
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net SOA ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net name server ns1.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net name server ns2.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net mail is handled by 10 mail.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net has address 161.58.2.116
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

sl102.secure.net has address 192.41.0.102
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

smtp.secure.net is an alias for mail.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

localhost.secure.net has address 127.0.0.1
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

news.secure.net has address 192.41.0.5
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:
and much, much more.

Top
#3475 - 03/26/03 02:20 PM Re: DNS system and Zone Transfers (Informative article)
Digital Geek Offline
UGN Super Poster

Registered: 09/18/02
Posts: 553
Loc: Cluj-Napoca, Romania
Still the problem remains. What will someone do if they want to find out all the hosts associated with a domain that uses secure DNS servers ?!

I found this : http://phphostsfinder.sourceforge.net/ on Source Forge. Maybe some of you will find it interesting.

P.S. Nice article SR

Top
#3476 - 03/26/03 03:04 PM Re: DNS system and Zone Transfers (Informative article)
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
It is common for hosts for a domain to have completely different IP addresses. Scanning the IP range that a domain belongs to has very very little value. That script may find domains that don't even belong to the same owner, AND... miss other domains that DO belong to the same owner. If you enter "secure.net" into that PHP script, you'll see what I mean.

I mention this so that people don't get there hopes up. It's just a glorified scan.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#3477 - 03/26/03 04:03 PM Re: DNS system and Zone Transfers (Informative article)
pergesu Offline
UGN Elite Poster

Registered: 03/14/02
Posts: 1136
Loc: Pimpin the Colorizzle
Rage, you're so ignorant sometimes. It's on SourceForge, it's 1337, it's ph33rful. Geez...

Top
#3478 - 03/26/03 04:37 PM Re: DNS system and Zone Transfers (Informative article)
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
since unreal was such a cry baby, I'll let ya guys know that he's the one who told me how to do the AXFR transfer in nslookup. That crappy program doesn't deserve my research! btw, the DNS client on my website supports AXFR now.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#3479 - 03/26/03 05:04 PM Re: DNS system and Zone Transfers (Informative article)
black^Pimp Offline
UGN GFX Whore

Registered: 09/26/02
Posts: 624
Loc: Underground
jesus SR, that was really great, i asked myself that question many times but never found the answer and now here we go...

pretty cool shit.
_________________________
+^Born Intelligence

Top
#3480 - 03/26/03 08:31 PM Re: DNS system and Zone Transfers (Informative article)
pergesu Offline
UGN Elite Poster

Registered: 03/14/02
Posts: 1136
Loc: Pimpin the Colorizzle
/me bows
I'll tell you how to dig, too, which I told SR a while back. Here it is:

Code:
[pergesu@baggio pergesu]$ dig -t AXFR secure.net @ns2.secure.net

; <<>> DiG 9.2.1 <<>> -t AXFR secure.net @ns2.secure.net
;; global options:  printcmd
secure.net.             86400   IN      SOA     ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
secure.net.             86400   IN      NS      ns1.secure.net.
secure.net.             86400   IN      NS      ns2.secure.net.
secure.net.             10      IN      MX      10 mail.secure.net.
secure.net.             10      IN      A       161.58.2.116
sl102.secure.net.       86400   IN      A       192.41.0.102
smtp.secure.net.        10      IN      CNAME   mail.secure.net.
localhost.secure.net.   86400   IN      A       127.0.0.1
news.secure.net.        86400   IN      A       192.41.0.5
...
...
...
5000b.secure.net.       86400   IN      A       192.41.1.2
ftp.secure.net.         86400   IN      CNAME   secure.net.
sundance.secure.net.    86400   IN      A       192.41.1.8
sl100.secure.net.       86400   IN      A       192.41.0.100
sl101.secure.net.       86400   IN      A       192.41.0.101
secure.net.             86400   IN      SOA     ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
;; Query time: 1040 msec
;; SERVER: 192.220.125.10#53(ns2.secure.net)
;; WHEN: Wed Mar 26 18:31:07 2003
;; XFR size: 67 records

[pergesu@baggio pergesu]$

Top
#3481 - 03/26/03 09:31 PM Re: DNS system and Zone Transfers (Informative article)
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
yes, that report is a heck of a lot better than host. Although my program's report is better.

Also, that program is wrong when it says there are 67 records. In reality, there's 64 records plus 2 identical Zone records (the list starts and ends with the Zone record (SOA)). But that still only adds up to 66.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top

Moderator:  Infinite 
Featured Member
Registered: 03/02/02
Posts: 136
Forum Stats
2148 Members
46 Forums
34726 Topics
69896 Posts

Max Online: 1567 @ 04/25/10 05:20 AM
Top Posters
UGN Security 27888
Gremelin 7193
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
Tim050, Gecko666, defghi795767, Devo60, ali
2148 Registered Users
Who's Online
0 registered (), 358 Guests and 260 Spiders online.
Key: Admin, Global Mod, Mod
Latest News


Donate
  Get Firefox!
Get FireFox!