Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
OP Offline
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
once upon a time (not very long ago), a person asked on this board if there was a way to find all the hosts associated with a domain.

Ex. yahoo.com
mail.yahoo.com
clubs.yahoo.com
store.yahoo.com

Being the resident DNS tinkerer, I assured him that there was nothing in the DNS protocol that would allow him to view such a thing. I am happy to announce that I was wrong - dead wrong.

First, I need to explain a few basics on how domain information is stored. The owners of yahoo.com enlisted the use of a DNS server. Inside of this special computer is stored all kinds of information about yahoo.com. It knows what IP's are associated with yahoo.com. It knows what the mail servers are called and their IP's. Basically every domain and every piece of information about that domain is stored in a single (or group) of DNS servers.

Well, it's an easy thing for a person to ask a DNS server what the IP is belonging to a certain domain. But it is not so easy to just tell a server to give up everything it knows on yahoo.com and all related domains.

however, how is one DNS server supposed to learn anything from another? How does these servers update each other on domain information?

Zone transfers (AXFR)

Now, the administrators of DNS servers are not supposed to allow just anybody to request entire zones from them. They should have a list of friendly DNS server IP's stored so that if somebody requests a zone transfer - it must be one of their friends. However, it is not all that uncommon to find DNS servers that DO allow just ANYBODY to request an entire zone!

So how do you do it? Well, you need to use a program which supports zone transfers. Now I'd just love to point you to my very own DNS lookup program, but I'm not quite finished adding the zone transfer feature, so nslookup which comes with windows (2K/XP anyway) is your second best bet.

first, we need an unsecured DNS server. I'll be nice and give ya one - ns2.secure.net.

at the command-line type this:
C:\>nslookup - ns2.secure.net

Now we're in interactive mode with nslookup and may request whatever we want of the server we specified above. First, we need to say what type of request this is going to be...

>set type=axfr

After typing the above, nslookup is ready to make a zone transfer request. Now we need to tell it the zone we want to request. "secure.net" is a good guess considering that's the root of the server domain. It may have other zones too, just for FYI. Type this into the the prompt...

>ls -d secure.net

oh my, after typing the above we are FLOODED with information. 64 different records are stored under the "secure.net" zone. Here's some sample output from my unreleased version DNS Lookup:

Code
- Record Name               Type     Data

  secure.net                NS       ns1.secure.net
  secure.net                NS       ns2.secure.net
  secure.net                MX       10 - mail.secure.net
  secure.net                A        161.58.2.116
  sl102.secure.net          A        192.41.0.102
  smtp.secure.net           CNAME    mail.net
  localhost.secure.net      A        127.0.0.1
there you have the first 7 records. The first two records are located under the secure.net domain. They're your DNS servers. We've just finished talking to one of them. It also tells us the smtp server name (MX). There's also some other hosts. I have no idea what sl102 is, but I know it's IP address! smile Also, I see a domain called smtp.secure.net. The CNAME means that the domain is pointing to another domain. Also, there's a host called localhost which is only valid on their internal network.

Ok, that's the way it works. Now to put it to practical matters. First we have a domain... yahoo.com. Let's see if we can get a zone transfer about it. First we need the DNS server that stores yahoo.com's information:

first we execute nslookup:
C:\>nslookup

then we make a request to find it's DNS server
>set type=ns

now we say which domain we are querying
>yahoo.com

part of our results:
Code
Non-authoritative answer:
yahoo.com       nameserver = ns1.yahoo.com
yahoo.com       nameserver = ns5.yahoo.com
yahoo.com       nameserver = ns2.yahoo.com
yahoo.com       nameserver = ns3.yahoo.com
yahoo.com       nameserver = ns4.yahoo.com
we've got 5 servers to choose from. let's try each one until we find a unsecured server...

first set the type
> set type=axfr

change server to be queried
> server ns1.yahoo.com
make request
> yahoo.com
*** ns1.yahoo.com can't find yahoo.com: Query refused

if failed, change server
> server ns2.yahoo.com
> yahoo.com
*** ns2.yahoo.com can't find yahoo.com: Query refused

failed again *sigh* try some more
> server ns3.yahoo.com
> yahoo.com
*** ns3.yahoo.com can't find yahoo.com: Query refused

yahoo sucks. 2 more left
> server ns4.yahoo.com
> yahoo.com
*** ns4.yahoo.com can't find yahoo.com: Query refused

last chance!
> server ns5.yahoo.com
> yahoo.com
*** ns5.yahoo.com can't find yahoo.com: Query refused

oh well, yahoo is pretty good about their security. Maybe you should pick on smaller targets. smile


Domain Registration, Hosting, Management
http://www.dollardns.net
Joined: Mar 2002
Posts: 1,136
P
UGN Elite Poster
Offline
UGN Elite Poster
P
Joined: Mar 2002
Posts: 1,136
For anyone that's using linux with a recent version of nslookup, it won't work. The ls command isn't implemented, and nslookup isn't the preferred method. I've never done this before, but I decided to see if I'm able to with the tools that I have. I found that indeed I can smile

host -l host server

so in this example, I had:
Code
host -l secure.net ns2.secure.net
Gives the same info as nslookup in Windows.

Code
[pergesu@baggio pergesu]$ host -l secure.net ns2.secure.net
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net SOA ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net name server ns1.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net name server ns2.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net mail is handled by 10 mail.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

secure.net has address 161.58.2.116
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

sl102.secure.net has address 192.41.0.102
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

smtp.secure.net is an alias for mail.secure.net.
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

localhost.secure.net has address 127.0.0.1
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:

news.secure.net has address 192.41.0.5
Using domain server:
Name: ns2.secure.net
Address: 192.220.125.10#53
Aliases:
and much, much more.

Joined: Sep 2002
Posts: 553
UGN Super Poster
Offline
UGN Super Poster
Joined: Sep 2002
Posts: 553
Still the problem remains. What will someone do if they want to find out all the hosts associated with a domain that uses secure DNS servers ?!

I found this : http://phphostsfinder.sourceforge.net/ on Source Forge. Maybe some of you will find it interesting.

P.S. Nice article SR smile

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
OP Offline
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
It is common for hosts for a domain to have completely different IP addresses. Scanning the IP range that a domain belongs to has very very little value. That script may find domains that don't even belong to the same owner, AND... miss other domains that DO belong to the same owner. If you enter "secure.net" into that PHP script, you'll see what I mean.

I mention this so that people don't get there hopes up. smile It's just a glorified scan.


Domain Registration, Hosting, Management
http://www.dollardns.net
Joined: Mar 2002
Posts: 1,136
P
UGN Elite Poster
Offline
UGN Elite Poster
P
Joined: Mar 2002
Posts: 1,136
Rage, you're so ignorant sometimes. It's on SourceForge, it's 1337, it's ph33rful. Geez...

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
OP Offline
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
since unreal was such a cry baby, I'll let ya guys know that he's the one who told me how to do the AXFR transfer in nslookup. That crappy program doesn't deserve my research! laugh btw, the DNS client on my website supports AXFR now.


Domain Registration, Hosting, Management
http://www.dollardns.net
Joined: Sep 2002
Posts: 624
UGN GFX Whore
Offline
UGN GFX Whore
Joined: Sep 2002
Posts: 624
jesus SR, that was really great, i asked myself that question many times but never found the answer and now here we go...

pretty cool [censored].


+^Born Intelligence
Joined: Mar 2002
Posts: 1,136
P
UGN Elite Poster
Offline
UGN Elite Poster
P
Joined: Mar 2002
Posts: 1,136
/me bows
I'll tell you how to dig, too, which I told SR a while back. Here it is:

Code
[pergesu@baggio pergesu]$ dig -t AXFR secure.net @ns2.secure.net

; <<>> DiG 9.2.1 <<>> -t AXFR secure.net @ns2.secure.net
;; global options:  printcmd
secure.net.             86400   IN      SOA     ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
secure.net.             86400   IN      NS      ns1.secure.net.
secure.net.             86400   IN      NS      ns2.secure.net.
secure.net.             10      IN      MX      10 mail.secure.net.
secure.net.             10      IN      A       161.58.2.116
sl102.secure.net.       86400   IN      A       192.41.0.102
smtp.secure.net.        10      IN      CNAME   mail.secure.net.
localhost.secure.net.   86400   IN      A       127.0.0.1
news.secure.net.        86400   IN      A       192.41.0.5
...
...
...
5000b.secure.net.       86400   IN      A       192.41.1.2
ftp.secure.net.         86400   IN      CNAME   secure.net.
sundance.secure.net.    86400   IN      A       192.41.1.8
sl100.secure.net.       86400   IN      A       192.41.0.100
sl101.secure.net.       86400   IN      A       192.41.0.101
secure.net.             86400   IN      SOA     ns1.secure.net. hostmaster.secure.net. 2002123000 10800 3600 604800 86400
;; Query time: 1040 msec
;; SERVER: 192.220.125.10#53(ns2.secure.net)
;; WHEN: Wed Mar 26 18:31:07 2003
;; XFR size: 67 records

[pergesu@baggio pergesu]$

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
OP Offline
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
yes, that report is a heck of a lot better than host. Although my program's report is better. smile

Also, that program is wrong when it says there are 67 records. In reality, there's 64 records plus 2 identical Zone records (the list starts and ends with the Zone record (SOA)). But that still only adds up to 66.


Domain Registration, Hosting, Management
http://www.dollardns.net

Link Copied to Clipboard
Member Spotlight
Posts: 30
Joined: June 2002
Forum Statistics
Forums41
Topics33,840
Posts68,858
Average Daily Posts1
Members2,176
Most Online3,253
Jan 13th, 2020
Latest Postings
Where and how do you torrent?
by danni75 - 03/01/24 05:58 AM
Animation,
by JohanKaariainen - 08/15/19 01:18 AM
Blackbeard.....
by Gremelin - 10/03/18 07:02 PM
my old account still exists!
by Crime - 08/10/18 02:47 PM
Okay WTF?
by HenryMiring - 09/27/17 01:45 AM
The History Thread...
by Gremelin - 08/11/17 12:11 PM
My friend NEEDS your HELP!
by Lena01 - 07/21/17 12:06 AM
I'm having fun with this guy.
by gabithompson730 - 07/20/17 01:50 AM
I want to upgrade my phone
by gabithompson730 - 07/20/17 01:49 AM
Doom 3
by Cyrez - 09/11/14 08:58 PM
Amazon Gift Card Generator/KeyGen?te
by Gecko666 - 08/22/14 09:21 AM
AIM scene 99-03
by lavos - 09/02/13 08:06 AM
Planetside 2
by Crime - 03/04/13 07:10 AM
Beta Testers Wanted
by Crime - 03/04/13 06:55 AM
Hello Everyone
by Gremelin - 02/12/12 06:01 PM
Tracfone ESN Generator
by Zanvin Green - 01/18/12 01:31 PM
Python 3 issue
by Testing - 12/17/11 09:28 PM
tracfone airtime
by Drache86 - 07/30/11 03:37 AM
Backdoors and the Infinite
by ZeroCoolStar - 07/10/11 03:52 AM
HackThisZIne #12 Releaseed!
by Pipat2 - 04/28/11 09:20 PM
gang wars? l33t-wars?
by Gremelin - 04/28/11 05:56 AM
Consolidate Forums
by diggin2deep - 04/21/11 10:02 AM
LAN Hacking Noob
by Gremelin - 03/12/11 12:42 AM
Top Posters
UGN Security 41,392
Gremelin 7,203
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Likes Received
Ghost 2
Crime 1
Ice 1
Dartur 1
Cyrez 1
Powered by UBB.threads™ PHP Forum Software 7.7.5