Home » Questions » Computers [ Ask a new question ]

Is there a way to get the complete zone file for a domain without contacting its host?

Is there a way to get the complete zone file for a domain without contacting its host?

"I know that it's probably (no longer) possible because of abuse, but I want to check nonetheless.
Is there a way for me to obtain the company zone file for a domain myself, without having to contact the people who host the DNS for that domain?"

Asked by: Guest | Views: 36
Total answers/comments: 4
Guest [Entry]

"You can try to initiate a zone transfer.

You are right though, no sanely configured DNS server should still allow this nowadays. Not just because as a zone admin you don't want to expose your internals but also because AXFR responses are way bigger than the queries, so they prove to be an excellent way for DoS reflection attacks as a <100 bytes spoofable UDP package can make a server send multiple KB of response to any machine on the internet.

If you still want to try:

In the nslookup utility, you can use ls [name of domain] to get the zone information.

And if you prefer dig, then you can use

dig @dns.example.com example.com -t AXFR

Though as I said, it probably won't work for you."
Guest [Entry]

"Since your usual DNS queries are non-wildcard, your only options are:

ask politely for the whole list (aka zone transfer or call the admins - i.e. that what you wanted to avoid)
settle for an incomplete list

Hacking the server and just getting the config file usually is not an option, neither is eavesdropping on the zone transfers to the secondary/backup servers. Apart from those, there is no instance knowing all possible subdomains.

Options for getting incomplete lists:

send random queries (aka bruteforce, though you won't get very far - but perhaps some dictionary-style guessing might help you nonetheless)
ask google, using the ""site:example.com"" filter
use your own crawler to follow links, hoping that all subdomains you might be interested in are linked somehow. You'll probably miss smtp.example.com, though.

Also keep in mind some zone files do have wildcards themselves, so *.example.com might give you the address(es) of a web dispatcher configured to handle web1.example.com, sales.example.com, etc. differently. This works with all protocols which use the hostname not only in the IP-level but also in the application data stream. (e.g. name based virtual hosting for http)"
Guest [Entry]

"The Internet Corporation for Assigned Names and Numbers (ICANN) created a handy service called the Centralized Zone Data Service (CZDS) which supports retrieval of complete zonefiles for selected domains.

The Centralized Zone Data Service (CZDS) is an online portal where any interested party can request access to the Zone Files provided by participating generic Top-Level Domains (gTLDs).
Zone file access provides anticrime organizations, businesses, cybersecurity professionals, law enforcement, and researchers with a means to download the entire zone file ""in bulk."" These organizations apply the bulk zone data to combat phishing, spam, brand and trademark infringements, and other malicious uses of domains."
Guest [Entry]

"Mail exchangers, SPF, and others

Although it seems obvious, I find the hardest part about moving a domain is usually something related to the email setup. To this end, maybe it would help to know about the ANY, TXT, MX and SOA options in dig, as I didn't see this mentioned as yet by anyone. While I wouldn't recommend anything other than getting the zone-file straight from the horses mouth, if you are in desperado mode and feel the need for speed you might wanna try mx, soa, txt, and any options, but you will miss all sub-domains in my case it is not obvious to discover the sub-domain lists.triptonites.com which requires mail service.

Notice how the following all give slightly different info that is not obvious

dig any triptonites.com # mite not work
dig mx triptonites.com # for email to work
dig soa triptonites.com # for email abuse / admin
dig txt triptonites.com # for SPF authentication / anti-spam
dig any lists.triptonites.com # shows RFC8482 warning sometimes / always
dig mx lists.triptonites.com # etc as above it shows you'd likely miss records trying to hack this info out
dig soa lists.triptonites.com
dig txt lists.triptonites.com

These all give useful info that could get missed from a casual hack using nslookup and dig etc.

Also, I did it too many times and the server gave an abuse response:

lists.triptonites.com. 3789 IN HINFO ""RFC8482"" """"

This is another sign this approach is a bit wrong/risky, it's not the correct reply, it's a message about minimal replies and that I should try these using mx, txt and soa instead of any."