Zone Transfers

This document is a description of zone tranfers. A zone transfer is the process of obtaining a domain's name server's (DNS) zone file. A zone file is a file that contains a mapping of all host to IP addresses. Each host in the DNS server's domain will be listed in this file with both it's host name and IP address. Some zone files also contain a description of the hardware and / or OS in which the host is operating.

The Process (Unix)

Find your target domain. For example gte.net:

	% nslookup
	> set q=ns
	> gte.net

		Server:  sapphire.linux.lan
		Address:  127.0.0.1

		gte.net preference = 10, mail exchanger = mtapop1pub.gte.net
		gte.net nameserver = bigguy.gte.net
		gte.net nameserver = otherguy.gte.net

	> server bigguy.gte.net
	> set q=any
	> ls -d gte.net. > /home/%USER%/target.zone
	> exit

In the above example, we picked a host: gte.net. We then started the nslookup utility and set the q=ns (query type = name server). We then queried the host for their name servers. Once we found the name servers which in the above example are bigguy.gte.net and otherguy.gte.net, we changed servers to bigguy.gte.net. We then set the q=any (query type = any / all). Next we did the zone transfer and redirected the output to a file named target.zone. If you wanted to see the example instead of saving the output to a file, exclude the redirect symbol.

	> ls -d gte.net.

Some useful nslookup commands:

Commands:       (identifiers are shown in uppercase, [] means optional)
set OPTION      - set an option
    querytype=X - set query type, e.g., A,ANY,CNAME,HINFO,MX,PX,NS,PTR,SOA,TXT,W
server NAME     - set default server to NAME, using current default server
root            - set current default server to the root
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)
    -a          -  list canonical names and aliases
    -h          -  list HINFO (CPU type and operating system)
    -s          -  list well-known services
    -d          -  list all records
    -t TYPE     -  list records of the given type (e.g., A,CNAME,MX, etc.)
exit            - exit the program, ^D also exits

The Process (Windows)

	1. Download a 3rd party utility such as SamSpade from samspade.org.
	2. Read the instructions.

	Update: Windows NT has nslookup!