DNS zone transfers?

I was doing a practice test this morning for the 291 and came across a DNS question. The question doesn't really matter I don't think, but the testing program said the answer was to configure a DNS server to allow zone transfers to a particular Windows XP client computer. I was under the impression that zone transfers only happened between DNS servers. So I'm wondering if it is actually possible to have a zone transfer to an XP client computer and if so, why exactly would this be beneficial since the explanation didn't really clear things up. Thanks!

Find more posts tagged with

Comments

Mishra

This is actually a fun and good thing to lab. Since I learned about it I already have been using zone transfer information at work. When I am looking for a computer name that I don't know I can perform a zone transfer and find the computer name in that list.

Install a DNS server and go to the zone transfer tab.
Add your workstation to the list of IPs allowed to request a zone transfer.
Go to your workstation and go into a command prompt. Type in nslookup then type ls -d yourzonethatyoumade.com

It will perform a zone transfer to your computer and you are able to see all records transfered as if you were receiving a real update.

dynamik

Zone transfers are a potential security risk because they can provide quite a bit of information about your network. That is why you have to configure trusted machines manually.

undomiel

I believe in Windows 2000 Server it defaults to being a happy zone transferring daemon but 2003 defaults to being restricted. Just something you might want to keep in mind for securing any 2000 servers you may have to work with in the future.

dynamik

undomiel wrote:

I believe in Windows 2000 Server it defaults to being a happy zone transferring daemon but 2003 defaults to being restricted. Just something you might want to keep in mind for securing any 2000 servers you may have to work with in the future.

Correct.

seuss_ssues

JayrodEF wrote:

I was doing a practice test this morning for the 291 and came across a DNS question. The question doesn't really matter I don't think, but the testing program said the answer was to configure a DNS server to allow zone transfers to a particular Windows XP client computer. I was under the impression that zone transfers only happened between DNS servers. So I'm wondering if it is actually possible to have a zone transfer to an XP client computer and if so, why exactly would this be beneficial since the explanation didn't really clear things up. Thanks!

I do not know any reason why anyone would be doing a zone transfer to a client other then possibly testing something.

Transfers should only be done to authorized servers that you manually input.

JayrodEF

Thanks for the replies. Yeah, I thought you should only be doing transfers to trusted servers that's why I was floored when that was the supposed correct answer. Sounds like it is possible though, but I still can't see why you would do that in any real world situation.

royal

Only real world situation I can possibly fathom is to allow zone transfer to a secured management workstation, and have that client be able to do a :
nslookup
set type=any
ls -d FQDN > zonedata.txt

This will **** all data for the zone.

Mishra

JayrodEF wrote:

Thanks for the replies. Yeah, I thought you should only be doing transfers to trusted servers that's why I was floored when that was the supposed correct answer. Sounds like it is possible though, but I still can't see why you would do that in any real world situation.

I said why I use it!

"When I am looking for a computer name that I don't know I can perform a zone transfer and find the computer name in that list."

dynamik

How do you know what you're looking for? Do you have the IP? If so, wouldn't it be easier to setup a reverse lookup zone?

Mishra

dynamik wrote:

How do you know what you're looking for? Do you have the IP? If so, wouldn't it be easier to setup a reverse lookup zone?

Lets say the computer name of your server is ASDF12WQWEQZCZCA well then you don't remember that if you don't have it written down somewhere... Perform a good ole zone transfer and I can copy/paste.

Just more work around techniques that you learn as you gain experience in being a sysadmin.

sprkymrk

Mishra wrote:

dynamik wrote:

How do you know what you're looking for? Do you have the IP? If so, wouldn't it be easier to setup a reverse lookup zone?

Lets say the computer name of your server is ASDF12WQWEQZCZCA well then you don't remember that if you don't have it written down somewhere... Perform a good ole zone transfer and I can copy/paste.

Just more work around techniques that you learn as you gain experience in being a sysadmin.

That's a lot more work to me than just pinging it and copy/paste. Or once you do a zone xf then make a spreadsheet. I know the IP addresses of about 40 servers (at least). I suppose if you had a lot more it would be all right.

ping -a 192.168.3.32
Pinging server01 [192.168.3.32] with 32 bytes of data:

Reply from 192.168.3.32: bytes=32 time<1ms TTL=128
Reply from 192.168.3.32: bytes=32 time<1ms TTL=128
Reply from 192.168.3.32: bytes=32 time<1ms TTL=128
Reply from 192.168.3.32: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.3.32:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms