At times when working with DNS, it may be necessary to obtain a full listing of a particular zone file’s contents. We do this by performing a DNS zone transfer.
Let me first say that the term “zone transfer” is a little misleading and confused me in the beginning. To some it may imply that a transfer of files is taking place between systems. This is not the case. All that is happening is a query is made and a transfer of information is returned. That information we want to obtain is the contents of a given zone file. It may have been better termed a “zone query” but for all intents and purposes it is referred to as a zone transfer.
There are basically two steps involved in performing a zone transfer. In our example we will use the test domain of “zonetransfer.me” as the zone we want to query for our zone transfer. So the first thing we need to figure out are the authoritative DNS servers attached to that zone. To figure that out we type the following dig command:
dig -t NS <zone> (-t NS: specifies we want name server records returned)
> dig -t NS zonetransfer.me ; <<>> DiG 9.8.3-P1 <<>> NS zonetransfer.me ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;zonetransfer.me. IN NS ;; ANSWER SECTION: zonetransfer.me. 7200 IN NS nsztm1.digi.ninja. zonetransfer.me. 7200 IN NS nsztm2.digi.ninja. ;; Query time: 81 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Mon Jun 11 22:59:50 2018 ;; MSG SIZE rcvd: 85
Here we can see there are two authoritative name servers for that zone: nsztm1.digi.ninja and nsztm2.digi.ninja. Now we have all the information we need to perform a zone transfer. We’ll perform our first zone transfer by using the nsztm1.digi.ninja name server and typing the following:
dig -t AXFR @<name server> <zone> (-t AXFR: specifies we want to do a zone transfer)
> dig -t AXFR @nsztm1.digi.ninja zonetransfer.me
<<>> DiG 9.8.3-P1 <<>> @nsztm1.digi.ninja zonetransfer.me axfr
; (1 server found)
;; global options: +cmd
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2017042001 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "\; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}\; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'>"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2017042001 172800 900 1209600 3600
;; Query time: 112 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Mon Jun 11 23:11:07 2018
;; XFR size: 48 records (messages 1, bytes 1864)
All of that output is what is contained in that zone file (zonetransfer.me) on that name server (nsztm1.digi.ninja). If we wanted, we could perform the same command on the other name server, nsztm2.digi.ninja, and we would then have the contents of that same zone but from the other name server. The output should be relatively similar.
There you have it. We have now performed a complete set of zone transfers for a given domain.
My-IT.log by Steve Dickinson 