Is there a way to get the complete zone file for a domain without contacting its host?
Is there a way to get the complete zone file for a domain without contacting its host?
"I know that it's probably (no longer) possible because of abuse, but I want to check nonetheless. Is there a way for me to obtain the company zone file for a domain myself, without having to contact the people who host the DNS for that domain?"
You are right though, no sanely configured DNS server should still allow this nowadays. Not just because as a zone admin you don't want to expose your internals but also because AXFR responses are way bigger than the queries, so they prove to be an excellent way for DoS reflection attacks as a <100 bytes spoofable UDP package can make a server send multiple KB of response to any machine on the internet.
If you still want to try:
In the nslookup utility, you can use ls [name of domain] to get the zone information.
And if you prefer dig, then you can use
dig @dns.example.com example.com -t AXFR
Though as I said, it probably won't work for you."
"Since your usual DNS queries are non-wildcard, your only options are:
ask politely for the whole list (aka zone transfer or call the admins - i.e. that what you wanted to avoid) settle for an incomplete list
Hacking the server and just getting the config file usually is not an option, neither is eavesdropping on the zone transfers to the secondary/backup servers. Apart from those, there is no instance knowing all possible subdomains.
Options for getting incomplete lists:
send random queries (aka bruteforce, though you won't get very far - but perhaps some dictionary-style guessing might help you nonetheless) ask google, using the ""site:example.com"" filter use your own crawler to follow links, hoping that all subdomains you might be interested in are linked somehow. You'll probably miss smtp.example.com, though.
Also keep in mind some zone files do have wildcards themselves, so *.example.com might give you the address(es) of a web dispatcher configured to handle web1.example.com, sales.example.com, etc. differently. This works with all protocols which use the hostname not only in the IP-level but also in the application data stream. (e.g. name based virtual hosting for http)"
"The Internet Corporation for Assigned Names and Numbers (ICANN) created a handy service called the Centralized Zone Data Service (CZDS) which supports retrieval of complete zonefiles for selected domains.
The Centralized Zone Data Service (CZDS) is an online portal where any interested party can request access to the Zone Files provided by participating generic Top-Level Domains (gTLDs). Zone file access provides anticrime organizations, businesses, cybersecurity professionals, law enforcement, and researchers with a means to download the entire zone file ""in bulk."" These organizations apply the bulk zone data to combat phishing, spam, brand and trademark infringements, and other malicious uses of domains."
Although it seems obvious, I find the hardest part about moving a domain is usually something related to the email setup. To this end, maybe it would help to know about the ANY, TXT, MX and SOA options in dig, as I didn't see this mentioned as yet by anyone. While I wouldn't recommend anything other than getting the zone-file straight from the horses mouth, if you are in desperado mode and feel the need for speed you might wanna try mx, soa, txt, and any options, but you will miss all sub-domains in my case it is not obvious to discover the sub-domain lists.triptonites.com which requires mail service.
Notice how the following all give slightly different info that is not obvious
dig any triptonites.com # mite not work dig mx triptonites.com # for email to work dig soa triptonites.com # for email abuse / admin dig txt triptonites.com # for SPF authentication / anti-spam dig any lists.triptonites.com # shows RFC8482 warning sometimes / always dig mx lists.triptonites.com # etc as above it shows you'd likely miss records trying to hack this info out dig soa lists.triptonites.com dig txt lists.triptonites.com
These all give useful info that could get missed from a casual hack using nslookup and dig etc.
Also, I did it too many times and the server gave an abuse response:
lists.triptonites.com. 3789 IN HINFO ""RFC8482"" """"
This is another sign this approach is a bit wrong/risky, it's not the correct reply, it's a message about minimal replies and that I should try these using mx, txt and soa instead of any."