Zone transfers (AXFR) will allow you to pull an entire record set down from a nameserver at once. If successful, you will be provided with a listing of all information on the nameserver from one simple command.
In secured environments it is highly unlikely that zone transfers are enabled as it gives an attacker a wealth of data in regards to hostnames and other information.Before you begin first find the name servers on the domain myexample.com using nslookup or host command. Please take time to inspect Dig's command line options:
We will now go through the necessary steps to perform a zone transfer on the domain myexample.com.
# dig @ns1.myexample.com myexample.com axfr
; <<>> DiG 9.7.0-P1 <<>> @ns1.myexample.com myexample.com axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.
Our results indicate that the transfer has failed. In this case the administrator of the nameserver has properly disabled the ability to perform zone transfers. Now we will try another nameserver on the same domain and see if zone transfers are disabled on it as well.
# dig @ns16.myexample.com myexample.com axfr
; (1 server found)
;; global options: +cmd
myexample.com. 7200 IN SOA ns16.example1.com. soacontact.
example1.com. 2011409732 2400 360 1209600 300
myexample.com. 7200 IN NS ns14.example1.com.
myexample.com. 7200 IN NS ns16.example1.com.
mail.myexample.com. 300 IN MX 1 mail1.myexample.com.
testmachine.myexample.com. 300 IN A 192.168.1.1
irc.myexample.com. 300 IN A 192.168.1.1
mail1.myexample.com. 300 IN A 192.168.1.1
note.myexample.com. 300 IN TXT "This is an myexample of a note"
myexample.com. 7200 IN SOA ns16.example1.com. soacontact.
example1.com. 2011409732 2400 360 1209600 300
;; Query time: 383 msec
;; SERVER: 69.64.68.41#53(69.64.68.41)
;; WHEN: Wed Oct 12 16:04:17 2011
;; XFR size: 10 records (messages 10, bytes 579)
While reviewing the record pulled for myexample.com we find several points of interest. It seems that myexample.com has several subdomains that are directed at the same IP address. If this site had not been set up strictly as an myexample, you would have real IP addresses to systems that could be enumerated. Also, there is a TXT record containing trivial information.
Reverse DNS lookup using Dig
At times it will be necessary to resolve IP addresses to domain names. There is no need to swap back to nslookup to perform this task as you can simply type:
# dig +nocmd +noall +answer -x 192.168.0.1
Your output would look something like this:
10.0.0.1.in-addr.arpa. 8433 IN PTR 43-10.any.example.org.The previous command allowed us to determine the domain name associated with 192.168.0.1.
Multiple commands
We can chain commands using dig. In the following example, we use our shortened output format to provide us with the A record of example.com and example.net and then request a reverse lookup on 192.0.43.10.
# dig +nocmd +noall +answer example.com example.net -x 192.168.1.10
The resulting output is as follows (domain name has been replaced with myexample.org in this output):
myexample.com. 37183 IN A 192.168.1.10
myexample.net. 54372 IN A 192.168.10.11
10.0.0.1.in-addr.arpa. 6937 IN PTR 43-10.any.example.org.