DNS Interrogation: Zone Transfer Tutorial

Zone transfer is the process where a name server lists all of its DNS information.

Zone transfer is essentially used by secondary name server to update its zone database by requesting information from the primary name server. Albeit zone transfer should only be allowed from the primary name server to the secondary name server, because of not properly configuring them, some name servers allow zone transfers to external systems too. This represents a serious security hole as an attacker could query the authoritative name servers to harvest domains and I.P addresses associated with the target organization.

Before we get into the methods of conducting zone transfer, we have to know what a zone is.

The domain namespace is designed in a tree like fashion with root at the top and top-level domains as its children nodes (first-level nodes). These top-level domains could be further divided into sub-domains which, in-turn, could be divided further into more sub-domains.

Domain namespace contains a lot of information which is distributed among many computers called DNS servers. Each of these servers is authoritative for a large or a small domain i.e the servers are arranged in the same hierarchy as the names.

DNS Server Hierarchy
DNS Hierarchy

The information for which a server is responsible is called a zone. When we assign an authoritative name server to a domain — say, xyz.net — the domain becomes a zone for that name server. If a subdomain is created for xyz.net, the new subdomain could either be managed by the same name server, in which case it becomes a part of the original zone:xyz.net; or, the name server could delegate away authority for that subdomain to some other name server, in which case the subdomain acts as zone for that new name server.

For example, consider the figure below, here, three subdomains — et1.xyz.net, et2.xyz.net and et3.xyz.net — are created from the domain xyz.net. Domains xyz.net, et1.xyz.net and et2.xyz.net are managed by the same name server and are collectively part of the zone- xyz.net. Here, zone and domain are separate; the zone xyz.net houses three domains: xyz.net, et1.xyz.net and et2.xyz.net

DNS zones
DNS zones

The third domain — et3.xyz.net — is delegated to some other name server and acts as a zone for that domain. Here, the zone and the domain refer to the same thing.

It is imperative to note that a single name server can have multiple zones. For instance, if the name server was authoritative for domains: xyz.net, abc.net and pqr.net, there would have been three zones: xyz.net, abc.net and pqr.net respectively. The name server stores information pertaining to all the zones in a zone file.

Prior to conducting a zone transfer, we need to know the authoritative name server for that domain.This information can be obtained very easily by performing a WHOIS lookup of the target website which gives us a list of name servers arranged in the order– primary, secondary, tertiary(rarely exists), etc.

Next, we look at some of the methods to perform zone transfer.

Zone Transfer in Windows. In Windows, zone transfer can be conducted via the nslookup command. The nslookup command is present in both Windows and Unix and is instrumental in performing zone transfer. However, in the recent versions of Linux, its zone transfer functionality has been whisked off. To perform zone transfer in Linux we have to make use of the dig command.

Steps to perform zone transfer:

a) C:\>nslookup

b) > server [authoritative name server's I.P address or name]

c) > set type=any

d) > ls -d [domain] or > ls -d [domain] > [filename]

Significance of each command.


This command starts nslookup in interactive mode.

> server [authoritative name server’s I.P address or name]

This command sets our default server to the authoritative name server.

> set type=any

This sets the query type to any. There are various DNS records like: Address record(A), Host information record(HINFO), Mail exchange record(MX) etc; setting the query type to any species that we are interested in any kind of DNS record.

> ls -d [domain]
> ls -d [domain] > [filename]

ls command is used to list addresses in domain. The -d option species that we want to list all types of records. If a zone transfer is allowed, this command will return all data pertaining to that domain (i.e perform zone transfer 😀 )

Zone Transfer in Unix
In Unix, to perform zone transfer, we make use of the dig (domain information groper) command. We can conduct either a full or an incremental zone transfer.

Full Zone Transfer
<code>$ dig @[authoritative name server IP] [domain] -t AXFR</code>

This command will set the query type to AXFR and perform a zone transfer for the given domain.

Incremental Zone Transfer
<code>$ dig @[authoritative name server IP] [domain] -t IXFR=[N]</code>

This command will conduct a zone transfer for a given domain, pulling all the changes made to the zone since the serial number in the zone’s SOA record was equal to some value N.

External Tools for Conducting zone transfer
There is plethora of tools which could help with zone transfer–Sampspade, maltego, necrosoft dig, to name just a few.

Additionally, you could also employ websites like Network-Tools and DNSstuff for this purpose.

DNS Interrogation Defenses
a) Configure your name servers such that only primary accepts zone transfer requests, and that too, from only secondary and tertiary name servers.

b) Consider using split-DNS — an architectue, where internal and external DNS servers are sun separately.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: