Network Discovery with DNS AXFS

DNS all Zone Transfer

One of the first steps any attacker takes before executing a strike on a targeted entity is discovery. The basic concept is to know what to attack and how to compromise it. There are many different ways to get this information, we will discuss DNS All Zone Transfer as one method of discovery. If a DNS All Zone Transfer is executed correctly the output will provide target information such as MX or Mail servers.

Two tools will illustrate how to enumerate network devices and force a zone transfer:

  1. Nslookup – returns server name, IP addresses, and CNAMES (true server name) for the identified machines within a
  2. DIG – returns DNS queries as well as DNS related tasks


Nslookup is available on the Command Line Interface of most operating systems including Windows and Linux.

Basic nslookup command example: nslookup <>


When a DNS query is sent there are two response sources Non-authoritative and Authoritative

  • Non-authoritative servers do not contain copies of any domains. They have a cache file that is constructed from all the DNS lookups it has performed in the past for which it has gotten an authoritative response.
  • Authoritative servers received record from the original source such as an administrator

Another way to use nslookup is in interactive mode: Interactive mode is obtained by sending the command nslookup by itself without switches or options. Interactive mode allows the user to combine various options, more specifically, commands to perform a zone transfer.

Zone Transfer

DNS zone transfers are typically used to update a DNS record on a non-authoritative DNS server from an authoritative DNS server. When a zone transfer takes place a series of information is requested:

  • Request SOA from primary server
  • The primary checks to see if the request is from an authorized server
  • When the SOA serial number indicates a newer version is available the secondary server will request a zone transfer for the latest names server resolutions

DNS Record types that are common in a zone transfer response:

  • A – Address record
  • AAAA – IPv6 address record
  • MX – Mail exchange record
  • NS – Name server record
  • SOA – Start of [a zone of] authority record

How to force a zone transfer with nslookup:

Attackers can also use zone transfer to gain insightful information about a network.

  • nslookup
  • server <ip address> (DNS authoritative server)
  • set type = any (query for any record)
  • ls –d <> (requests the zone transfer)

If an error message is received then a transfer may not be possible from the target authoritative server.


Dig can be used when nslookup is not successful either from the web tools or from CLI locally

Dig web tools:

To run DIG in CLI version locally

Common switches for DIG:

  • +nocomments – Turn off the comment lines
  • +noauthority – Turn off the authority section
  • +noadditional – Turn off the additional section
  • +nostats – Turn off the stats section
  • +noanswer – Turn off the answer section (Of course, you wouldn’t want to turn off the answer section)

Force a zone transfer with Dig from CLI

how can we help you?

Contact Romack today to learn how we can help take your business to the next level.