2.1.1.1 DNS Zone Transfer

DNS Zone Transfers

DNS records, or Domain Name System records, are essentially pieces of information stored in DNS servers that help translate human-readable domain names (like www.example.com) into IP addresses (like 192.168.1.1) that computers use to identify each other on a network. DNS records play a crucial role in facilitating the browsing experience and various other network-related activities. Here are some common types of DNS records:

  • A Record (Address Record): This record maps a domain name to an IPv4 address. It is used to translate domain names into the numerical IP addresses that computers use to identify each other on the internet.

  • AAAA Record (IPv6 Address Record): Similar to the A record, the AAAA record maps a domain name to an IPv6 address. IPv6 addresses are used to handle the growing need for unique IP addresses due to the increasing number of devices connected to the internet.

  • CNAME Record (Canonical Name Record): The CNAME record is used to create an alias for a domain name. It points one domain name to another, allowing multiple domain names to be associated with the same IP address. This is often used for subdomains and load balancing.

  • MX Record (Mail Exchange Record): MX records specify the mail servers responsible for receiving email messages on behalf of a domain. These records help route email messages to the correct email servers.

  • TXT Record (Text Record): TXT records store various text-based information about a domain. They are often used for verification and authentication purposes, such as SPF (Sender Policy Framework) records for email authentication.

  • SRV Record (Service Record): SRV records provide information about available services on a domain. They are commonly used for services like VOIP, instant messaging, and other communication protocols.

  • PTR Record (Pointer Record): PTR records perform the reverse of what A and AAAA records do. They map IP addresses to domain names, aiding in reverse DNS lookup, which can help verify the authenticity of an IP address.

  • NS Record (Name Server Record): NS records indicate which DNS servers are authoritative for a particular domain. They point to the DNS servers that hold the definitive DNS information for a domain.

  • SOA Record (Start of Authority Record): The SOA record contains administrative information about the domain, including the primary authoritative DNS server, contact details for the domain administrator, and various timing information related to updates and caching.

DNS zone transfer is a process used to replicate or synchronize DNS data (zone data) from one DNS server to another. It is commonly employed in environments where multiple DNS servers need to maintain consistent and up-to-date records for a particular domain or set of domains. Zone transfers are critical for redundancy, fault tolerance, and load distribution within the DNS infrastructure.

Here's how the DNS zone transfer process works:

  1. Primary (Master) Server: The primary DNS server (also known as the master server) holds the authoritative copy of the DNS zone data. This server is considered the source of truth for the zone's records.

  2. Secondary (Slave) Servers: Secondary DNS servers (also called slave servers) are responsible for obtaining a copy of the zone data from the primary server. These secondary servers are set up to request and receive updates from the primary server periodically or when changes occur.

  3. Zone Transfer: When a secondary server is initially configured or when there are changes to the zone data on the primary server, it initiates a zone transfer. This transfer involves the secondary server requesting the updated zone data from the primary server.

  4. Transfer Methods: There are two main methods of DNS zone transfer:

    • Full Zone Transfer (AXFR): This method involves the secondary server requesting the entire zone data from the primary server. It's used when the secondary server doesn't have any data or needs a complete refresh.

    • Incremental Zone Transfer (IXFR): In this method, the secondary server requests only the changes or updates that have occurred since its last synchronization. This reduces the amount of data transferred and is more efficient.

  5. Maintaining Consistency: After the zone transfer, the secondary server updates its records to match those of the primary server. This ensures that both primary and secondary servers have consistent DNS information.

This website is helpful to test and understand how works:

We can find DNS record using again tools for passive/active recon how: DNSDumpster (website) and DNSRecon:

dnsrecon -d zonetransfer.me

DNSEnum (automatic brute force):

dnsenum zonetransfer.me

DIG

dig axfr @nsztm1.digi.ninja zonetransfer.me

Fierce

fierce -dns zonetransfer.me

In alternative, we can use Nmap for host discover using:

nmap -Sn <target/subnet>

The -Pn flag in Nmap is used to instruct Nmap not to perform "ping" scanning to determine whether hosts are reachable or not. This can be useful when you want to scan hosts where ping might be blocked or disabled (usually in windows device).

However, DNS resolution is a separate aspect, and the -Pn option does not directly impact DNS resolution. If you want to avoid DNS resolution during scanning and only want to detect hosts without performing ping, you can use the -n option. Here's how you can combine the two options:

nmap -n -Pn <target>

Finally, we can test result on the browser, if one dns value load in loop, it maybe can be an internal IP.

Previous2.1.1 DNS ReconNext2.1.1.2 Subdomain Enumeration

Last updated