Is there a way to get the complete zone file for a domain without contacting its host?

71

20

I know that it's probably (no longer) possible because of abuse, but I want to check nonetheless. Is there a way for me to obtain the company zone file for a domain myself, without having to contact the people who host the DNS for that domain?

Is there a way to get the complete zone file for a domain, without getting it from the company that hosts the DNS for that specific domain?

Evert

Posted 2009-08-18T13:34:00.050

Reputation: 1 075

Answers

45

You can try to initiate a zone transfer.

You are right though, no sanely configured DNS server should still allow this nowadays. Not just because as a zone admin you don't want to expose your internals but also because AXFR responses are way bigger than the queries, so they prove to be an excellent way for DoS reflection attacks as a <100 bytes spoofable UDP package can make a server send multiple KB of response to any machine on the internet.

If you still want to try:

In the nslookup utility, you can use ls [name of domain] to get the zone information.

And if you prefer dig, then you can use

dig @dns.example.com example.com -t AXFR

Though as I said, it probably won't work for you.

pilif

Posted 2009-08-18T13:34:00.050

Reputation: 966

2

There was a period when nslookup was considered by ICS (Internet Systems Consortium) as outdated, decision was reversed in 2004 with the release of BIND 9.3. In fact you can find changes made during nslookup development even from this month.

– patryk.beza – 2015-07-24T17:31:28.313

How did people abuse it? All of the information is public anyway right? – CMCDragonkai – 2015-12-30T10:47:47.840

2@CMCDragonkai the problem is that DNS runs over UDP and thus is easily spoofable. So you can use this as a reflection attack for a DOS (send small query to server with spoofed sender, get huge response sent to victim). Plus a domain might contain internal addresses you don't want anybody to list. – pilif – 2016-01-04T12:26:34.140

2just a question: WHY do you think nslookup is outdated? Can you name some no-outdates alternatives? – Novellizator – 2013-03-25T00:21:27.783

7@Novellizator: dig ? – mveroone – 2013-10-01T13:25:55.900

25

I'm not sure if this is exactly what you're looking for however Network-Tools.com solved my problem of wanting to see all the DNS records in the Zone file on a given nameserver:

http://network-tools.com/nslook/

C.J.

Posted 2009-08-18T13:34:00.050

Reputation: 359

7Just a warning, this doesn't actually include "all the DNS records in the Zone file" – Molomby – 2014-11-19T04:16:30.190

6This doesn't answer the question that was asked. This lets you do a DNS lookup for a single domain name (e.g., www.yahoo.com). It doesn't download all of the records in a zone (e.g., all domains *.yahoo.com). – D.W. – 2016-04-14T23:32:20.830

8

Since your usual DNS queries are non-wildcard, your only options are:

  • ask politely for the whole list (aka zone transfer or call the admins - i.e. that what you wanted to avoid)
  • settle for an incomplete list

Hacking the server and just getting the config file usually is not an option, neither is eavesdropping on the zone transfers to the secondary/backup servers. Apart from those, there is no instance knowing all possible subdomains.

Options for getting incomplete lists:

  • send random queries (aka bruteforce, though you won't get very far - but perhaps some dictionary-style guessing might help you nonetheless)
  • ask google, using the "site:example.com" filter
  • use your own crawler to follow links, hoping that all subdomains you might be interested in are linked somehow. You'll probably miss smtp.example.com, though.

Also keep in mind some zone files do have wildcards themselves, so *.example.com might give you the address(es) of a web dispatcher configured to handle web1.example.com, sales.example.com, etc. differently. This works with all protocols which use the hostname not only in the IP-level but also in the application data stream. (e.g. name based virtual hosting for http)

Zefiro

Posted 2009-08-18T13:34:00.050

Reputation: 201

2In the case of some people (like 1and1) the support people don't even know what a zone file or zone transfer are, and just send canned replies for "how to transfer your domain registration". Um, no, that's not what I want. – Craig Ringer – 2015-09-14T03:57:32.953

1'ask politely for the whole list (aka zone transfer or call the admins - i.e. that what you wanted to avoid)'

Well, wanted to avoid... I have a couple of cases where I DID ask politely, and am entitled to the zonefile (on behalf of one of our customers), but STILL not getting it from the people sitting on the zonefile... :-/ – Evert – 2009-08-19T10:17:01.363

1

The Internet Corporation for Assigned Names and Numbers (ICANN) created a handy service called the Centralized Zone Data Service (CZDS) which supports retrieval of complete zonefiles for selected domains.

The Centralized Zone Data Service (CZDS) is an online portal where any interested party can request access to the Zone Files provided by participating generic Top-Level Domains (gTLDs).

Zone file access provides anticrime organizations, businesses, cybersecurity professionals, law enforcement, and researchers with a means to download the entire zone file "in bulk." These organizations apply the bulk zone data to combat phishing, spam, brand and trademark infringements, and other malicious uses of domains.

Nic

Posted 2009-08-18T13:34:00.050

Reputation: 161

1

I know this is a dated question, but I located the following website to obtain this information after stumbling across this question/answer: UltraTools Zone File Dump

In my testing, it was able to provide me with the information I required.

criticman

Posted 2009-08-18T13:34:00.050

Reputation: 119

4

This won't work for most domains. This website just tries an AXFR transfer, as mentioned in pilif's answer, but as pilif's answer explains, that usually won't work. So, unfortunately, this answer adds little value over pilif's answer, and should be written to explain the caveats.

– D.W. – 2016-04-14T23:34:36.500

1

I've had a similar demand - to check for a domain transfer capabilities on multiple domains with one shot. I've created a web-based tool that allows a domain list (or URLs list) as an input. Additionally all successful transfers are archived so that You would be able to see if domain zone content changes overtime.

The project is a freeware hosted on github here: Medved

A bit longer descriptipn is available at my blog.

This is how it looks like: enter image description here

Basically You just supply the list of comma-separated list of domains to check and hit a button Analyze. Each domain will have a separate result section with separate tab for each NS server. Green color of server name will indicate a successful transfer. Orange indicate that most probably the TCP port 53 is closed on a remote host (TCP is required for domain transfers). Red server name color indicates that server actively refuses the domain transfers - that means it is properly configured.

The tool has a bit more useful features that are described in detail in the help section:

enter image description here

mnmnc

Posted 2009-08-18T13:34:00.050

Reputation: 3 637

Asked: 2009-08-18T13:34:00.050

Viewed: 199 309 times

Active: 2019-07-16T16:48:21.720