Online Test of a zone transfer that will attempt to get all DNS records for a target domain. The zone transfer will be tested against all name servers (NS) for a domain.
Digging DNS with a Zone Transfer
A zone transfer that from an external IP address is used as part of an attackers reconnaissance phase. Usually a zone transfer is a normal operation between primary and secondary DNS servers in order to synchronise the records for a domain. This is typically not something you want to be externally accessible. If an attacker can gather all your DNS records, they can use those to select targets for exploitation.
Whether an attacker or penetration tester; they will attempt to map the footprint of the organization in order to find areas of weakness to exploit. Usually the information collected is host names, IP addresses and IP network blocks that are related to the targeted organization. A successful zone transfer will make this mapping much easier.
Enter the target domain such as
example.com . The
dig DNS tool that is available on *nix based platforms will then be used to enumerate all the authority Name Servers for the domain. Each Name Server will then be checked remotely for a zone transfer of the target domain. It is often the case that even though the primary name server blocks zone transfers, a secondary or tertiary system may not be configured to block these - hence the check of each name server.
dig command will be executed as follows to attempt the zone transfer.
dig axfr example.com @ns1.example.com dig axfr example.com @ns2.example.com
For more information or for a valid transfer mechanism to test head over to the site zonetransfer.me, DigiNinja a well known security researcher has made the domain
zonetransfer.me available for testing and learning, so you can test the online zone transfer tool with the deliberately configured zone transfer capable domain.
Zone Transfer API
This API provides an easy way to grab the results of attempted zone transfers, and the full results of the transfer if it is successful. The output is in plain text and will include the results from the
dig command against each of the name servers. Access the API using a web
curl or any common scripting language.
Discover, Explore, Learn.