Zone Transfers

Zone Transfers are an important source of information about a given network. Their purpose is to allow backup DNS servers to synchronize with their primary servers by basically saying, "Hey, give me everything you've got for foo domain..." This information, as with most information, can benefit both good guys or bad guys, depending on the application.

This short piece will discuss what makes up a zone transfer request, and how to perform them using a few command-line tools.

What is a Zone Transfer?

A Zone Transfer is a type of DNS query that simply asks for all records related to a specified domain. This is in contrast to a regular DNS request that asks for only one thing at a time -- like google.com, or yahoo.com. When you perform a zone transfer you're essentially saying, give me everything you have for foo.com, or whatever domain.

The important thing to remember about this is the structure of the zone transfer request. It reduces to two main parts:

  1. Who are you asking the question? (the server you're asking)
  2. Who are you asking about? (the target domain)

So in other words, if we were dealing with people it would be like asking Julie to give you a list of all John's friends. Or asking John for a list of Chris's friends. You can even ask Chris for a list of his own friends. The point is that you have to pieces -- who you're asking the question, and then who you're gathering information about.

The Tools

Most people use Linux command-line-based tools to perform zone transfers; I won't go into the reasons for this, but suffice it to say that both the CLI interface and Linux in general are geared for more knowledgeable users, which are the types of people who are supposed to be doing zone transfers in the first place.

host

My old favorite for doing zone transfers was the host command. Using it there are two (2) steps to the process.

  1. Set your nameserver to the server you're going to ask.
  2. Ask the question using 
    host -la $domain

Remember, it's two pieces -- who you're asking, and what domain you're asking about. And with host you have to configure your resolv.conf file in order to accomplish the first part.

dig

With dig you can do it all in one step, as both pieces of the query are given right in the command.

dig @server domain axfr

So the server is who you're asking, and the domain is who you're asking about. Both steps, one command.

nslookup on Windows

If you're adverse to Linux or don't have access to a Linux system you can do this same thing in Windows. It's accomplished using the nslookup command, like so.

  1. type nslookup on the Windows command line.
  2. type "server $target_server" at the prompt, which will configure to resolve against that server.
  3. type "set type=any" to configure nslookup to ask for all record types.
  4. type "ls -d $domain > $file_name_for_results" to capture the results into a file.

So it's a bit more involved, but it does the job. Remember, two steps -- the server command sets the who, and the "ls -d" command asks for the records for whatever domain.

Conclusion

So that's it -- how to perform zone transfers using three different command line tools. For the GUI inclined I'd suggest SamSpade for Windows.

Also, even though performing zone transfers is not technically illegal in most places, it's a pretty good idea to have permission before doing so against servers or domains that you don't legally administer. Given our current political culture this kind of stuff can become illegal anywhere at any time due to the whims of an ignorant judge -- just ask North Dakota.: