RE: DNS zone transfer

From: Brad Bemis (bradleyb@bigfoot.com)
Date: 06/09/02


From: "Brad Bemis" <bradleyb@bigfoot.com>
To: "Vlad" <progman@netvision.net.il>, "'Short_Circut'" <circut@TheSocket.remoteserver.org>
Date: Sun, 9 Jun 2002 10:45:18 -0700

It looks to me as though they are blocking TCP/53 (note UDP/53 is used for
queries and TCP/53 is used for the zone transfer). There could also be a
split-DNS implementation that hinders your efforts ( restricting the number
and type of records that you might be able to locate on the externally
accessible name server)... They may also have the DNS tree set up so that
only qualified name servers can conduct zone transfer. These are all common
best practices when protecting DNS servers.

Have you looked at secondary DNS servers associated with this target? Many
times, a secondary DNS server is forgotten about... Since they use the
simple name structure of ns1.wustl.edu, you could script query attempts
against a range of name servers using an nsx loop... Read in the results
and if they do not match a zone transfer denial (i.e. "*** Can't list domain
domain.com: Query refused"), you have a target...

Just a few ideas... There are several more advanced methods that could
also be used, but they do not involve passive information gathering ;-)

-----Original Message-----
From: Vlad [mailto:progman@netvision.net.il]
Sent: Sunday, June 09, 2002 1:02 AM
To: 'Short_Circut'
Cc: vuln-dev@securityfocus.com
Subject: RE: DNS zone transfer

First of all thanks for the answer, but I must say that I've already
tried all that.

Using nslookup returns the following:
=====================================
> ls -d domain.com
[[ns.domain.com]]
*** Can't list domain domain.com: Query refused
>
> domain.com
domain.com nameserver = ns.domain.com
.... ....
domain.com
        primary name server = ns1.domain.com
        responsible mail addr = p
        serial = 1234567890
        refresh = 3600 (1 hour)
        retry = 600 (10 mins)
        expire = 86400 (1 day)
        default TTL = 3600 (1 hour)
ns.domain.com internet address = x.x.x.x
=====================================
The request to enumerate all domain records (first ex.) returns "Query
refused".
A resolve request (second ex.) return what seems like all nameserver
records for that domain (type = ALL in nslookup).

That's nice but not as important as the other records the server
contains , they are the ones I'm after.

Suggestions?

  - Vlad.

-----Original Message-----
From: Short_Circut [mailto:circut@TheSocket.remoteserver.org]
Sent: Sunday, June 09, 2002 3:22 AM
To: Vlad
Cc: vuln-dev@securityfocus.com
Subject: Re: DNS zone transfer

> Greetings,
>
> Is it possible to remotely retrieve all DNS records from a server
> *without* knowing the specific zones it hosts?
> (cause then I can script "dig @dns-server.ip zone-domain ALL" )
>
> If it matters the server runs the DNS service on Win2k and I've got no
> preferance for Windows or *NIX tools. Any will do.
>
>
> Thanks,
> - Vlad.
>

try 'host' and nslookup.

host -l wustl.edu

and nslookup

[root@TheSocket - <~> nslookup
Default Server: Server.thesocket.net
Address: 10.0.2.1

> server ns1.wustl.edu
Default Server: ns1.wustl.edu
Address: 128.252.135.4

> ls -d wustl.edu

hehehe
view the nice result

:~Short_Circut~:



Relevant Pages

  • Re: Am I making DNS harder than it really is?
    ... >>examples of how to set up new servers to use dns for internal and isp dns ... You install your own DNS server. ... Now, if your current DNS host says "no, we don't allow zone transfer", then ... > the internet. ...
    (microsoft.public.win2000.dns)
  • Re: Issue with DC
    ... Assuming that TD1 has the proper DNS infrastruture, ... "you do not have permission to access this DNS server. ... "A zone transfer request for the secondary zone TD.COM was refused by the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2003 Name Server
    ... > We have a dedicated server as our primary, ... >> You are almost certainly better off moving your PUBLIC DNS ... >>> DNS Filter UDP Send Receive Local All Ports Remote Port 53 ... >>> DNS Zone Transfer TCP Inbound Local Port 53 Remote All Ports ...
    (microsoft.public.windows.server.dns)
  • Re: Primary says transfer OK but secondary doesnt receive zone
    ... > I'm trying to debug a strange problem I have with DNS zone transfer. ... > I've recently set up a new secondary DNS server for my forward zone ...
    (microsoft.public.win2000.dns)
  • Re: DNS Move
    ... Install DNS on the DC. ... On the existing DNS server, configure the zone to allow zone transfer to the ...
    (microsoft.public.windows.server.dns)