DNS servers use zone transfers to replicate databases across servers. This allows administrators to make changes on one server and then push these changes to the others rather than manually updating all of them. Most DNS servers only allow zone transfers to trusted peers due to the valuable information they reveal. However, when doing reconnaissance it’s still worthwhile for penetration testers and other security professionals to check if zone transfers are allowed.
Digi.ninja allows security practitioners to practice zone transfers with the domain zonetransfer.me.
How to Start a Zone Transfer
First you need to find the domain’s DNS servers. We can do that with the dig command like so:
This gives the following output:
Now that we know what the domain’s DNS servers are we can use dig to request a zone transfer:
Alternatively we could also use the host command to initiate a zone transfer:
The zone transfer gives us a lot of information!
Try it yourself and see what kind of information you can glean from perusing the zone transfer data. Can you determine which is primary name server and who the contact for it is? What about the mail servers?
For more information on how to read the information gathered from a zone transfer please visit Digi.Ninja : https://digi.ninja/projects/zonetransferme.php