4

I want to see what nodes exist under a certain domain from within the domain. Short of querying every valid IP address within that domain, is there a way to get all records/map the network?

intika
  • 369
  • 2
  • 11
Ritwik Bose
  • 193
  • 1
  • 2
  • 7

3 Answers3

7

Typically zone transfers are denied if the server is properly configured. You can do a zone transfer via dig:

dig @127.0.0.1 domain.com. AXFR

You can also use nslookup:

nslookup -query=AXFR domain.com 127.0.0.1

If you are not the administrator, you might be better off contacting your IT department for further details.

Warner
  • 23,440
  • 2
  • 57
  • 69
2

As warner mentioned (that's becoming familiar), zone transfers are othen denied for security reasons. If the name servers aren't something you have access to you can attempt to discover the most common subdomains of a given domain using one of the popular DNS bruteforce scripts. They work by performing DNS requests against a local nameserver using a user supplied dictionary list. Dictionary lists exist solely for this purpose.

  • Note if this reply is against the user agreement just delete it, sorry. *

WS-DNS-BFX is one such script (perl and threaded I believe).

CarpeNoctem
  • 2,397
  • 4
  • 23
  • 32
  • ah. Ultimately I'm trying to figure out a way to 'bounce' packets around a network to search for services that are not advertised and don't have a fixed location. I don't want to flood my network, though, so brute-force isn't the best option. – Ritwik Bose Mar 01 '10 at 20:08
  • Do you have access to the DHCP server logs? You can use the lease table to determine which IPs should be further scanned with nmap for whatever services your looking for. You can also scan a network for bonjour,avahi,zeroconf. As well as just nmap the whole subnet(this can be done slow or fast). If it's a flat network you can just iterate through all the IPs doing arp lookups to discover hosts to further scan. Your initial post made it seem like it was limited to a specific domain name, not network. The most obvious tool that comes to mind is nmap with the "-PN" switch for starters. nmap.org – CarpeNoctem Mar 02 '10 at 02:16
2

Using the nslookup command that @warner provided above, I was not able to retrieve the records that I was looking for.

Based on some answers from this post, I was able to retrieve them using nslookup in interactive mode.

$ nslookup
> ls -d mydomain.com

I also found an alternative to the dig command here.

host -l mydomain.com
jmcker
  • 121
  • 3