once upon a time (not very long ago), a person asked on this board if there was a way to find all the hosts associated with a domain.
Being the resident DNS tinkerer, I assured him that there was nothing in the DNS protocol that would allow him to view such a thing. I am happy to announce that I was wrong - dead wrong.
First, I need to explain a few basics on how domain information is stored. The owners of yahoo.com enlisted the use of a DNS server
. Inside of this special computer is stored all kinds of information about yahoo.com. It knows what IP's are associated with yahoo.com. It knows what the mail servers are called and their IP's. Basically every domain and every piece of information about that domain is stored in a single (or group) of DNS servers.
Well, it's an easy thing for a person to ask a DNS server what the IP is belonging to a certain domain. But it is not so easy to just tell a server to give up everything it knows on yahoo.com and all related domains.
however, how is one DNS server supposed to learn anything from another? How does these servers update each other on domain information?
Zone transfers (AXFR)
Now, the administrators of DNS servers are not supposed to allow just anybody to request entire zones from them. They should have a list of friendly DNS server IP's stored so that if somebody requests a zone transfer - it must be one of their friends. However, it is not all that uncommon to find DNS servers that DO allow just ANYBODY to request an entire zone!
So how do you do it? Well, you need to use a program which supports zone transfers. Now I'd just love to point you to my very own DNS lookup program, but I'm not quite finished adding the zone transfer feature, so nslookup
which comes with windows (2K/XP anyway) is your second best bet.
first, we need an unsecured DNS server. I'll be nice and give ya one - ns2.secure.net.
at the command-line type this:
C:\>nslookup - ns2.secure.net
Now we're in interactive mode with nslookup and may request whatever we want of the server we specified above. First, we need to say what type of request this is going to be...
After typing the above, nslookup is ready to make a zone transfer request. Now we need to tell it the zone we want to request. "secure.net" is a good guess considering that's the root of the server domain. It may have other zones too, just for FYI. Type this into the the prompt...
>ls -d secure.net
oh my, after typing the above we are FLOODED with information. 64 different records are stored under the "secure.net" zone. Here's some sample output from my unreleased version DNS Lookup:
- Record Name Type Data
secure.net NS ns1.secure.net
secure.net NS ns2.secure.net
secure.net MX 10 - mail.secure.net
secure.net A 18.104.22.168
sl102.secure.net A 22.214.171.124
smtp.secure.net CNAME mail.net
localhost.secure.net A 127.0.0.1
there you have the first 7 records. The first two records are located under the secure.net domain. They're your DNS servers. We've just finished talking to one of them. It also tells us the smtp server name (MX). There's also some other hosts. I have no idea what sl102 is, but I know it's IP address!
Also, I see a domain called smtp.secure.net. The CNAME means that the domain is pointing to another domain. Also, there's a host called localhost which is only valid on their internal network.
Ok, that's the way it works. Now to put it to practical matters. First we have a domain... yahoo.com. Let's see if we can get a zone transfer about it. First we need the DNS server that stores yahoo.com's information:
first we execute nslookup:
then we make a request to find it's DNS server
now we say which domain we are querying
part of our results:
yahoo.com nameserver = ns1.yahoo.com
yahoo.com nameserver = ns5.yahoo.com
yahoo.com nameserver = ns2.yahoo.com
yahoo.com nameserver = ns3.yahoo.com
yahoo.com nameserver = ns4.yahoo.com
we've got 5 servers to choose from. let's try each one until we find a unsecured server...
first set the type
> set type=axfr
change server to be queried
> server ns1.yahoo.com
*** ns1.yahoo.com can't find yahoo.com: Query refused
if failed, change server
> server ns2.yahoo.com
*** ns2.yahoo.com can't find yahoo.com: Query refused
failed again *sigh* try some more
> server ns3.yahoo.com
*** ns3.yahoo.com can't find yahoo.com: Query refused
yahoo sucks. 2 more left
> server ns4.yahoo.com
*** ns4.yahoo.com can't find yahoo.com: Query refused
> server ns5.yahoo.com
*** ns5.yahoo.com can't find yahoo.com: Query refused
oh well, yahoo is pretty good about their security. Maybe you should pick on smaller targets.