[ale] OT: DNS query (dig) question

Michael H. Warfield mhw at wittsend.com
Wed May 12 11:13:24 EDT 2004 

On Tue, May 11, 2004 at 01:24:38PM -0400, Joe Steele wrote:
> On Tuesday, May 11, 2004 11:42 AM, Fulton Green wrote:
> >
> > Back in the "nslookup" days, I could do a query on all the registered
> > hostnames for a given domain, something akin to:
> >
> >    nslookup> ls -d somedomain.com > somedomainhosts.txt
> >
> > Now that nslookup is deprecated, I was wondering if there was a similar
> > way to perform this type of query, or if this type of query has since
> > been deemed a security risk.
> >
> 
> nslookup performs this action using a zone transfer.  The same action 
> can be performed with dig:

>     dig @authoritative-server somedomain.com axfr > somedomainhosts.txt

	Or "host -l somedomain.com authoritative-server"

	Or -a instead of -l.  Or "-t AXFR"...

	That also does an AFXR and also breaks if the authoritative
server has been set up properly (refusing arbitrary AXFRs).

> Many domain name servers will block zone transfers (a form of 
> security through obscurity), so the operation will not always succeed 
> (regardless of whether you use nslookup or dig).

	It's not security through obscurity.

	1) You're not obscuring anything.  Someone knows the name, they
can get the address.  QED.

	2) You ARE breaking the back of automated scanning tools that
transfer whole zones and then scan the resulting addresses.

	Side Note...  IPv6 can not be brute forced address scanned.  But
if your zone can be transferred, the scanners that are DNS based work.  If
you prevent zone transfers, you've eliminated that threat as well.

	Blocking zone transfers eliminates very specific threats and vectors
that depend on it.

> --Joe
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available

More information about the Ale mailing list