Information Gathering - Web Edition Contents
Previous Section
Brute-Forcing can be an effective and highly successful approach in collecting DNS information on a target's infrastructure however, there is a less invasive and potentially more efficient method for uncovering subdomains - DNS Zone Transfers.
DNS Zone Transfer; a mechanism which has the purpose of replicating DNS records between name servers, can also inadvertently become a mass of wealthy of information, if misconfigured.
What is a Zone Transfer¶
A DNS Zone Transfer is essentially a complete copy of all DNS records within a zone (i.e. a zone being a domain and it's subdomains) from one name server to another. Typically a file or database of DNS records which are managed by a specific authoritative DNS server.
The DNS Zone transfer process is essential as it maintains consistency, and redundancy across DNS servers. A downside, is that if not adequately secured, unauthorised parties can download the entire zone file, which reveals the complete list of subdomains, associated IP addresses, and other sensitive DNS data.
sequenceDiagram
participant S as Secondary Server
participant P as Primary Server
S->>P: AXFR Request (Zone Transfer)
P->>S: SOA Record (Start of Authority)
Loop Zone Transfer
P ->> S: DNS Record
end
P ->> S: Zone Transfer Complete
S ->> P: ACK (Acknowledgement)Zone Transfer Request (AXFR)¶
The secondary DNS server begins the process by sending a zone transfer request (AXFR Request) to the primary DNS server.
SOA Record Transfer¶
Upon receiving the request (and potentially authenticating the secondary server), the primary server responds with the SOA record (Start of Authority). This record contains critical metadata about the zone, including the serial number, which the secondary server uses to determine whether its current data is up-to-date.
DNS Records Transmission¶
The primary server will proceed to transfer all DNS records in the zone (i.e. in regards to the domain) one by one.
This includes the following record types:
- A Records (IPv4)
- AAAA Records (IPv6)
- MX Records (Mail Servers)
- CNAME (Aliases which maps subdomain to another domain)
- NS Records (Name Servers)
Zone Transfer Complete¶
Once all records have been transmitted, the primary server signals the end of the zone transfer therefore confirming the successful receipt and processing of the zone data, which completes the zone transfer process.
Acknowledgement (ACK)¶
The secondary sever sends an acknowledgement message back to the primary server, which completes the zone transfer.
The Zone Transfer Vulnerability¶
Zone transfers are essential for legitimate DNS management, a misconfigured DNS server can transform this process into a significant security vulnerability. The core issue of this vulnerability stems in the access controls that govern who (i.e. the secondary servers) can initiate a zone transfer. A properly configured primary DNS server should enforce strict access controls, such as IP-based restrictions or cryptographic authentication, to ensure only legitimate secondary servers can successfully request an AXFR, thereby safeguarding the zone data.
The early days of the internet allowing any client to request a zone transfer from a DNS server was common practice however, the simplified open approach left a massive security flaw, which meant anyone, including malicious actors, who could request a DNS server for a complete copy of its zone file, which contains a vast wealthy of information.
Unauthorised Zone Transfer Contents¶
- Subdomains: A complete list of subdomains; many of which may not be listed through publicly accessible means, which may not necessarily be directly linked to the main website. (CNAME Records)
These subdomains may include the following:
-Host Development Servers
-Staging Environments
-Administrative Panels
-Other potentially Sensitive Resources - IP Addresses (A, and AAAA Records): The IP addresses associated with each subdomain, providing potential targets for further reconnaissance or attacks.
- Name Server Records (NS Records): Provides details about authoritative name servers for the domain, revealing the hosting provider and potential misconfigurations.
Remediation of Unauthorised Zone Transfers¶
Modern DNS servers mitigate this risk of the early days of the internet, typically primary DNS servers will only permit zone transfers to authorised trusted secondary servers, therefore ensuring the sensitive zone data remain confidential however, misconfigurations are still prone to occur due to the nature of human error or outdated DNS practices which reflect why attempting a zone transfer (with proper authorisation) remains a valuable reconnaissance technique as even in the event of being unsuccessful, may reveal information regarding the DNS server's configuration and security practices.
Exploiting Zone Transfers¶
The dig (Domain Name Information Groper) can be utilised to make a zone transfer request, as the command instructs dig to request a full zone transfer (AXFR Request) from the DNS server responsible for zone (i.e. the information regarding a domain) in which case a misconfigured server which allows for a full zone transfer of the zone's data.
Using Dig for Zone Transfer¶
In the example demonstrated below in which a useful domain is utilised being zonetransfer.me; a service specifically setup to demonstrate the risks of zone transfers
dig axfr @nsztm1.digi.ninja zonetransfer.me
Dig command to initiate zone transfer on
zonetransfer.me Example Command Breakdown¶
dig(Domain Information Groper)
axfr(Initiates Asynchronous Full (Zone) Transfer Request)
@nsztm1.digi.ninja(@symbol specifies DNS server and the hostname of the DNS server to query)
zonetransfer.me(The target domain for which the zone transfer request is made)To summarise the command attempts to perform an AXFR request using dig, on the DNS server
nsztm1.digi.ninjafor the domainzonetransfer.me.
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> axfr @nsztm1.digi.ninja zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 7200 IN DNSKEY 256 3 7 AwEAAapoL+InQBYx2oi3dI424+dEDFgnVW0cOINfCY3jLrngZxBsEur8 ByhMOQsxoIOYu/7b3c8tj2BwlQquqxZe79QHSW78fK7D+bP/8AosnBG5 K5gJXEvphEtJ9x8/X0Y971XaW9lLmtJ6h4AXsrbgTr2g9KOiPSIbvDPM W8qLMaQkTm89hvPc+NuzrOEOPNhoXs/iPM+SQzrvTBfr6y0w2yPtYYdW I1kN76OQBxh0xjIdlyT0QKiohKq2bybPROJO7K3NlDc8oaOZoXH5/RfL DQzxzXyYSV8fLwimUeulo7YA11I/AHQ7DsUsFu2S2vxGCyR8nmx9gYbN 4sBvTF2i5eM=
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
zonetransfer.me. 7200 IN CERT PKIX 0 0 MIIDvTCCAqUCFHh5BGzOrlYrXo5h90ipm0aDUEz9MA0GCSqGSIb3DQEB CwUAMIGaMQswCQYDVQQGEwJHQjEYMBYGA1UECAwPU291dGggWW9ya3No aXJlMRIwEAYDVQQHDAlTaGVmZmllbGQxEjAQBgNVBAoMCURpZ2luaW5q YTEQMA4GA1UECwwHSGFja2luZzEYMBYGA1UEAwwPem9uZXRyYW5zZmVy Lm1lMR0wGwYJKoZIhvcNAQkBFg56dG1AZGlnaS5uaW5qYTAeFw0yNTA3 MDIxMzU1MTNaFw0yNjA3MDIxMzU1MTNaMIGaMQswCQYDVQQGEwJHQjEY MBYGA1UECAwPU291dGggWW9ya3NoaXJlMRIwEAYDVQQHDAlTaGVmZmll bGQxEjAQBgNVBAoMCURpZ2luaW5qYTEQMA4GA1UECwwHSGFja2luZzEY MBYGA1UEAwwPem9uZXRyYW5zZmVyLm1lMR0wGwYJKoZIhvcNAQkBFg56 dG1AZGlnaS5uaW5qYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBALzYVM9WlBqOKU1lmnKJkKdIEZOhkscHQktEJORXCismSWV3Ffbs Lw7D3sfCc0h9ecZglsYvFUmEM0I0noYtuHPAlF2+FotVuoFrYuMYrEQo Zs4kuORIEx8pwHMZQUSM6KwVVLIB/FE956GfovgxGxWs33QaTKATAVCh D9KTLf6wVh/eC+0GI6mbvGvjqZFmmV/SYmmkdqEBWB7q3+SByfVrUohC A2GO30dwk6vUBtIj+J+i4SzKzLXIvFEfbCirMPQvdflgwPbjwp+cWG7o UBvfQZfZbaTp+9+V8FoBl0f8fGj/Mae1n0rSV5hnuXot8d3PAoAWQtW3 HJUv1nEboAMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAXop6ftpV2/r7 tkXqFCsMwub7ZBd12U14nsBon+X7K5Nr6obrVAtnWO+XwD8x2UgvYIQB uRLK9LOX6VYoiWMVrItIN8KRSsin5eJe4tzewsNGrVtkVbbKULViCeBt DgmImk8rkZeWU1uNOsq0t/wd3GUZe2CM9DpKVhPFhc9Uq3pYbAsidYlp SApuuj8ka3L+VruzJVwveyKTUkWAsN1iSv7BGgEF0039WW3IEv1ZP81c AdWFy1fx+tuteM6Iz5xkx1tp0/eLtb39cnKFQnrs8itDG2j3yBc3CClY mw4NNU2nODN4COt7uzXBez6iIFSNqQjVyFyomtPn4ae0cYRHEw==
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi to Josh and all his class"
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'><script>alert('Boo')</script>"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
;; Query time: 10 msec
;; SERVER: 81.4.108.41#53(nsztm1.digi.ninja) (TCP)
;; WHEN: Wed Jul 23 06:23:59 CDT 2025
;; XFR size: 52 records (messages 1, bytes 3339)```
Successful Full DNS zone transfer response from dig
Exercises¶
Q: After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.
A: 22
Q: Within the zone record transferred above, find the ip address for ftp.admin.inlanefreight.htb Respond only with the IP address, eg 127.0.0.1
A: 10.10.34.2
Q: Within the same zone record, identify the largest IP address allocated within the 10.10.200 IP range. Respond with the full IP address, eg 10.10.200.1
A: 10.10.200.14
Next Section Information Gathering - Web Edition/Sections/Virtual Hosts.md)