2

How can I check if a DNS Server (let's say a DNS Server inside a private network) is vulnerable to zone transfer attacks when I only have its IP?

I do not have any domain names. I see all these tools like dig, dnsenum, fierce and so on using a domain as a parameter and I do not know which domain I should use as a parameter when the only thing I have is the DNS server IP.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Flama
  • 121
  • 1
  • 1
    I think that the following articles already solved your question : (https://security.stackexchange.com/questions/69290/how-to-test-for-zone-transfer) (https://security.stackexchange.com/questions/10452/dns-zone-transfer-attack) – raDiaSmO May 13 '21 at 02:13
  • You could try using something like reversens.domaintools.com to find all the domains pointed at a name server and go from there... – D0gfather May 13 '21 at 02:12
  • @D0gfather mm ok but I'm inside an internal network with no internet here, is there a command line tool I could use? – Flama May 13 '21 at 12:56
  • @raDiaSmO Those articles don't really solve my question since they all use dig or host with a domain name and I don't have that. – Flama May 13 '21 at 12:57
  • How do you know that the IP you have belongs to the DNS server (assuming you are part of an internal network)? Do you have just an IP or a domain account (Windows AD account) as well? Can you also elaborate on how you got the internal IP? Responses to these questions will help understand your situation better. – M S Sripati May 13 '21 at 21:49
  • @M S Sripati : The IP of the SOA is within the network conf. otherwise no connection to `google.com`. This stands true whichever OS you are running, even on BSOS. – dan Feb 08 '22 at 10:57

2 Answers2

1

First of all, if you are inside the local network that shouldn't be hard to figure out a domain. If you are connected with DHCP have a look at the DNS suffix(es) registered for the connection. It could be something like the company name + .com.

A tool like nslookup can help you too. Request the PTR lookup for the IP address, or use dig -x. You should get a fully qualified host name in return, then you have a domain name.

One way to investigate further is to use a sniffer like Wireshark or tcpdump and sniff the traffic going from and to the server, and you'll quickly find out what DNS requests are sent to that name server.

What you need to know is that the name server may be authoritative for several zones. And each zone may have a different configuration. Thus it is possible that the name server will honor zone transfer requests for some zones and not for others. So you should test them one by one.

Another important point to keep in mind is the IP address of the client. A local IP address may very well be trusted for that purpose whereas a non-local address would not.

Generally speaking, nowadays most name servers are configured not to allow zone transfers to outside entities. But again, local addresses may enjoy more permissive ACLs.

Also, it is not rare for corporations to use a local domain like .local or a subdomain connected to the active directory, or have a split horizon setup.

Kate
  • 7,092
  • 21
  • 23
0

Simply use:

dig @IP_address -x @IP_address

or :

host @IP_address

to get the domain name, then initiate a zone transfer:

dig @IP_address domain_name -t AXFR

But be warned, this will be blocked on any seriously protected network and will rise a high level alarm for the security team, meaning "reconnaissance in progress". Don't do this from your company IP, unless you are paid to perform a pentest and correctly protected.

dan
  • 3,043
  • 14
  • 35