/ blog

DNS Zone transfers

Let's talk DNS Zone transfers.

What is a DNS Zone Transfer?

First of all, a DNS zone transfer is not an actual attack. It's an information gathering method to facilitate later attacks. In 'normal' circumstances, a DNS Zone Transfer is used to copy the zone file (a copy of all DNS names in a zone) from a master DNS server to a slave DNS server.

Why is it useful for a hacker?

When a DNS server is misconfigured, not only an authorized slave DNS server can request a copy of the zone file, but anyone asking will receive a copy. Basically you're asking the DNS information to give all the information it has on a given domain. This includes names, addresses and functionalities of all servers within a domain. Check out the awesome post by Zonetransfer.me for a detailed example of which information can be retrieved via a zone transfer and how this information can facilitate your hacking.

Examples

Although pre-made automated tools exists for DNS Zone Transfers (such as DNSRecon and DNSenum), I think it's worthwile to try it manually first as you will understand the mechanics better. We show some examples on Kali Linux. Let's go..

First, you identify the DNS servers for a given domain. Next, you try a zone transfer on each of these identified DNS servers. In this examples below we are going to do a zone transfer on Zonetransfer.me which has specifically being installed for this purpose.

Step 1: identify DNS servers for a given domain
host -t ns zonetransfer.me | cut -d " " -f 4

Let's breakdown the above command:

  • host (DNS lookup utility in build-in Kali)
  • -t ns (specifies target = nameservers)
  • zonetransfer.me (the domain you are trying to identify nameservers)
  • | cut -d " " -f 4 ( you're piping the result of the host command and you cut out the 4th field which is delimited with spaces)
Step 2: attempt a Zone Transfer

Once you identified the DNS servers for a domain, you can try to do a Zone Transfer on each of the DNS servers.

host -l zonetransfer.me nsztm1.digi.ninja
  • host (DNS lookup utility in build-in Kali)
  • -l (attempt a Zone Transfer, or more difficult - AXFR)
  • zonetransfer.me (the target domain)
  • nsztm1.digi.ninja (one of the DNS servers you identified in step 1)

Step 3: Automate both steps via scripting

You can automate step 1 and step 2 in a simple script that identifies all DNS servers for a given domain and tries a Zone Transfer on each of the identified DNS servers.

The script (see comments in the script for details):

Next, make the bash script executable (chmod 775) and execute with specified domain zonetransfer.me

DNSenum and DNSrecon

Both DNSenum and DNSrecon are great tools pre-installed in Kali Linux that can do the same of our script but has a few more options.
Make sure you play around with their different options.