How to test for zone transfer?

Question

I heard that it is possible to test for zone transfer attacks on a web application using host and dig commands in Linux. How it is done?

Answer 1

The syntax for host is:

host -t axfr domain.name dns-server

For dig:

dig axfr @dns-server domain.name

Replace dns-server with the authoritative DNS server and domain.name with your target domain name.

Keep in mind that this has very little to do with web applications, the above has to do with DNS. If we're talking about penetration testing, DNS zone transfers are a check one is more likely to perform while doing a network (rather than an application) pentest.

DigiNinja had put up a domain name zonetransfer.me for testing. Example:

$ host -t axfr zonetransfer.me nsztm1.digi.ninja.
Trying "zonetransfer.me"
Using domain server:
Name: nsztm1.digi.ninja.
Address: 167.88.42.94#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15449
;; flags: qr aa; QUERY: 1, ANSWER: 41, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zonetransfer.me.               IN      AXFR

;; ANSWER SECTION:
zonetransfer.me.        7200    IN      SOA     nsztm1.digi.ninja. robin.digi.ninja. 2014101001 172800 900 1209600 3600
zonetransfer.me.        301     IN      TXT     "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04Vl
... etc