DNS system and Zone Transfers (Informative article)

Posted by: SilentRage

DNS system and Zone Transfers (Informative article) - 03/22/03 03:23 PM

once upon a time (not very long ago), a person asked on this board if there was a way to find all the hosts associated with a domain.

Ex. yahoo.com
mail.yahoo.com
clubs.yahoo.com
store.yahoo.com

Being the resident DNS tinkerer, I assured him that there was nothing in the DNS protocol that would allow him to view such a thing. I am happy to announce that I was wrong - dead wrong.

First, I need to explain a few basics on how domain information is stored. The owners of yahoo.com enlisted the use of a DNS server. Inside of this special computer is stored all kinds of information about yahoo.com. It knows what IP's are associated with yahoo.com. It knows what the mail servers are called and their IP's. Basically every domain and every piece of information about that domain is stored in a single (or group) of DNS servers.

Well, it's an easy thing for a person to ask a DNS server what the IP is belonging to a certain domain. But it is not so easy to just tell a server to give up everything it knows on yahoo.com and all related domains.

however, how is one DNS server supposed to learn anything from another? How does these servers update each other on domain information?

Zone transfers (AXFR)

Now, the administrators of DNS servers are not supposed to allow just anybody to request entire zones from them. They should have a list of friendly DNS server IP's stored so that if somebody requests a zone transfer - it must be one of their friends. However, it is not all that uncommon to find DNS servers that DO allow just ANYBODY to request an entire zone!

So how do you do it? Well, you need to use a program which supports zone transfers. Now I'd just love to point you to my very own DNS lookup program, but I'm not quite finished adding the zone transfer feature, so nslookup which comes with windows (2K/XP anyway) is your second best bet.

first, we need an unsecured DNS server. I'll be nice and give ya one - ns2.secure.net.

at the command-line type this:
C:\>nslookup - ns2.secure.net

Now we're in interactive mode with nslookup and may request whatever we want of the server we specified above. First, we need to say what type of request this is going to be...

>set type=axfr

After typing the above, nslookup is ready to make a zone transfer request. Now we need to tell it the zone we want to request. "secure.net" is a good guess considering that's the root of the server domain. It may have other zones too, just for FYI. Type this into the the prompt...

>ls -d secure.net

oh my, after typing the above we are FLOODED with information. 64 different records are stored under the "secure.net" zone. Here's some sample output from my unreleased version DNS Lookup:

Code:
- Record Name               Type     Data

  secure.net                NS       ns1.secure.net
  secure.net                NS       ns2.secure.net
  secure.net                MX       10 - mail.secure.net
  secure.net                A        161.58.2.116
  sl102.secure.net          A        192.41.0.102
  smtp.secure.net           CNAME    mail.net
  localhost.secure.net      A        127.0.0.1
there you have the first 7 records. The first two records are located under the secure.net domain. They're your DNS servers. We've just finished talking to one of them. It also tells us the smtp server name (MX). There's also some other hosts. I have no idea what sl102 is, but I know it's IP address! Also, I see a domain called smtp.secure.net. The CNAME means that the domain is pointing to another domain. Also, there's a host called localhost which is only valid on their internal network.

Ok, that's the way it works. Now to put it to practical matters. First we have a domain... yahoo.com. Let's see if we can get a zone transfer about it. First we need the DNS server that stores yahoo.com's information:

first we execute nslookup:
C:\>nslookup

then we make a request to find it's DNS server
>set type=ns

now we say which domain we are querying
>yahoo.com

part of our results:
Code:
Non-authoritative answer:
yahoo.com       nameserver = ns1.yahoo.com
yahoo.com       nameserver = ns5.yahoo.com
yahoo.com       nameserver = ns2.yahoo.com
yahoo.com       nameserver = ns3.yahoo.com
yahoo.com       nameserver = ns4.yahoo.com
we've got 5 servers to choose from. let's try each one until we find a unsecured server...

first set the type
> set type=axfr

change server to be queried
> server ns1.yahoo.com
make request
> yahoo.com
*** ns1.yahoo.com can't find yahoo.com: Query refused

if failed, change server
> server ns2.yahoo.com
> yahoo.com
*** ns2.yahoo.com can't find yahoo.com: Query refused

failed again *sigh* try some more
> server ns3.yahoo.com
> yahoo.com
*** ns3.yahoo.com can't find yahoo.com: Query refused

yahoo sucks. 2 more left
> server ns4.yahoo.com
> yahoo.com
*** ns4.yahoo.com can't find yahoo.com: Query refused

last chance!
> server ns5.yahoo.com
> yahoo.com
*** ns5.yahoo.com can't find yahoo.com: Query refused

oh well, yahoo is pretty good about their security. Maybe you should pick on smaller targets.
Posted by: pergesu

Re: DNS system and Zone Transfers (Informative article) - 03/22/03 04:13 PM

For anyone that's using linux with a recent version of nslookup, it won't work. The ls command isn't implemented, and nslookup isn't the preferred method. I've never done this before, but I decided to see if I'm able to with the tools that I have. I found that indeed I can

host -l host server

so in this example, I had:
Code:
host -l secure.net ns2.secure.net
Gives the same info as nslookup in Windows.

Code:
[pergesu@baggio pergesu]$ host -l secure.net ns2.secure.net
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net SOA ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net name server ns1.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net name server ns2.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net mail is handled by 10 mail.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net has address 161.58.2.116
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

sl102.secure.net has address 192.41.0.102
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

smtp.secure.net is an alias for mail.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

localhost.secure.net has address 127.0.0.1
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

news.secure.net has address 192.41.0.5
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:
and much, much more.
Posted by: Digital Geek

Re: DNS system and Zone Transfers (Informative article) - 03/26/03 02:20 PM

Still the problem remains. What will someone do if they want to find out all the hosts associated with a domain that uses secure DNS servers ?!

I found this : http://phphostsfinder.sourceforge.net/ on Source Forge. Maybe some of you will find it interesting.

P.S. Nice article SR
Posted by: SilentRage

Re: DNS system and Zone Transfers (Informative article) - 03/26/03 03:04 PM

It is common for hosts for a domain to have completely different IP addresses. Scanning the IP range that a domain belongs to has very very little value. That script may find domains that don't even belong to the same owner, AND... miss other domains that DO belong to the same owner. If you enter "secure.net" into that PHP script, you'll see what I mean.

I mention this so that people don't get there hopes up. It's just a glorified scan.
Posted by: pergesu

Re: DNS system and Zone Transfers (Informative article) - 03/26/03 04:03 PM

Rage, you're so ignorant sometimes. It's on SourceForge, it's 1337, it's ph33rful. Geez...
Posted by: SilentRage

Re: DNS system and Zone Transfers (Informative article) - 03/26/03 04:37 PM

since unreal was such a cry baby, I'll let ya guys know that he's the one who told me how to do the AXFR transfer in nslookup. That crappy program doesn't deserve my research! btw, the DNS client on my website supports AXFR now.
Posted by: black^Pimp

Re: DNS system and Zone Transfers (Informative article) - 03/26/03 05:04 PM

jesus SR, that was really great, i asked myself that question many times but never found the answer and now here we go...

pretty cool shit.
Posted by: pergesu

Re: DNS system and Zone Transfers (Informative article) - 03/26/03 08:31 PM

/me bows
I'll tell you how to dig, too, which I told SR a while back. Here it is:

Code:
[pergesu@baggio pergesu]$ dig -t AXFR secure.net @ns2.secure.net

; <<>> DiG 9.2.1 <<>> -t AXFR secure.net @ns2.secure.net
;; global options:  printcmd
secure.net.             86400   IN      SOA     ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
secure.net.             86400   IN      NS      ns1.secure.net.
secure.net.             86400   IN      NS      ns2.secure.net.
secure.net.             10      IN      MX      10 mail.secure.net.
secure.net.             10      IN      A       161.58.2.116
sl102.secure.net.       86400   IN      A       192.41.0.102
smtp.secure.net.        10      IN      CNAME   mail.secure.net.
localhost.secure.net.   86400   IN      A       127.0.0.1
news.secure.net.        86400   IN      A       192.41.0.5
...
...
...
5000b.secure.net.       86400   IN      A       192.41.1.2
ftp.secure.net.         86400   IN      CNAME   secure.net.
sundance.secure.net.    86400   IN      A       192.41.1.8
sl100.secure.net.       86400   IN      A       192.41.0.100
sl101.secure.net.       86400   IN      A       192.41.0.101
secure.net.             86400   IN      SOA     ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
;; Query time: 1040 msec
;; SERVER: 192.220.125.10#53(ns2.secure.net)
;; WHEN: Wed Mar 26 18:31:07 2003
;; XFR size: 67 records

[pergesu@baggio pergesu]$
Posted by: SilentRage

Re: DNS system and Zone Transfers (Informative article) - 03/26/03 09:31 PM

yes, that report is a heck of a lot better than host. Although my program's report is better.

Also, that program is wrong when it says there are 67 records. In reality, there's 64 records plus 2 identical Zone records (the list starts and ends with the Zone record (SOA)). But that still only adds up to 66.