zone tranfer?
Hey guys. I am curious if someone could explain zone transfers to me and what the purpose of being able to do one is? Also curious why this is a security risk if someone is able to do this from their workstation say while at work?
Comments
-
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
zenlakin wrote:Hey guys. I am curious if someone could explain zone transfers to me and what the purpose of being able to do one is? Also curious why this is a security risk if someone is able to do this from their workstation say while at work?
You'd want to transfer zones to other DNS servers for redundancy or to migrate the zone to that server.
It's a security risk because whoever gains access to zone transfer data will gain knowledge about all the devices listed in that zone. You may have some critical servers (sql, accounting data, etc.) or devices that you do not want everyone to be aware of, but you may still need to include them in DNS. -
zenlakin
Member Posts: 104
Ok, so for security reasons you would probably only want access to be available to those who specifically take care of DNS so that not just anyone could perform a zone transfer on any given workstation and see that data and those devices that are in DNS? Also, to follow up on that how would one perform a DNS transfer to see if it can be done from their workstation? And what would I be looking for? -
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
Zone transfer is basically the replication of DNS zone of information. There are a couple reasons to do this including redundancy, scalability, and performance. The reason why you do not want someone to be running a DNS server on their PC at work is because your whole DNS structure could be poisoned if someone added\modified\deleted incorrect zone and record information. The changes to this rogue dns server would propagate (zone transfer) to other available DNS servers if no security is implemented -
royal
Member Posts: 3,352 ■■■■□□□□□□
zenlakin wrote:how would one perform a DNS transfer to see if it can be done from their workstation? And what would I be looking for?
nslookup and then using the ls command to **** the zone“For success, attitude is equally as important as ability.” - Harry F. Banks -
zenlakin
Member Posts: 104
Ok, so that is how I get the zone info right? Then what would I be looking for to perform an actual zone tranfer?
-
royal
Member Posts: 3,352 ■■■■□□□□□□
That does an actual zone transfer.
So:
nslookup
set type=all
ls domain > C:\domainzonedump.txt“For success, attitude is equally as important as ability.” - Harry F. Banks -
Tyrant1919
Member Posts: 519 ■■■□□□□□□□
I tried this and got an error:
nslookup
set type=brownies
unknown query type: brownies
What the heck, I'm cravin' a brownie and get nothin'?
But to add something, you shouldn't be able to use that command to get anything from a DNS server of yours. I just checked all ours just for some g wiz info.A+/N+/S+/L+/Svr+
MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
CCNA -
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
Tyrant1919 wrote:But to add something, you shouldn't be able to use that command to get anything from a DNS server of yours.
I agree, you shouldn't be able to do that.
However, zone transfers are allowed in Win2k by default. They changed that behavior in Win2k3. I'm not sure about default behavior for the various versions of BIND though. -
astorrs
Member Posts: 3,139 ■■■■■■□□□□
Silly Tyrant, you forgot that you need to use abbreviations.Tyrant1919 wrote:I tried this and got an error:
nslookup
set type=brownies
unknown query type: brownies
What the heck, I'm cravin' a brownie and get nothin'?
For example:
LCO = Lemon COffeecake
MF = Meringue de Framboise
PTR = Pavlova with Tangerines and Raspberries
RT = Red cherry Torte
SIG = Strawberry Ice cream Gateau -
snadam
Member Posts: 2,234 ■■■■□□□□□□
astorrs wrote:
Silly Tyrant, you forgot that you need to use abbreviations.Tyrant1919 wrote:I tried this and got an error:
nslookup
set type=brownies
unknown query type: brownies
What the heck, I'm cravin' a brownie and get nothin'?
For example:
LCO = Lemon COffeecake
MF = Meringue de Framboise
PTR = Pavlova with Tangerines and Raspberries
RT = Red cherry Torte
SIG = Strawberry Ice cream Gateau
you forgot about one very important querey type:
CCC= Chocolate Chip Cookies
:P**** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine
:study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security -
astorrs
Member Posts: 3,139 ■■■■■■□□□□
I screwed up on the location (LOC) one, should have been LemOn Coffeecake.
CCC isn't valid, DNS can't help you find that dessert, sorry. -
Sie
Member Posts: 1,195
Just create a CNAME Record for COOKIE to 209.62.5.3 , theres usually someone there that has a few
Foolproof systems don't take into account the ingenuity of fools -
astorrs
Member Posts: 3,139 ■■■■■■□□□□
Sie, I bow to your wisdom - you have resolved the cookie lookup problem.
I looked and there are no cookies anywhere in my house, Hero can you PM one to me? -
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
I love being associated with you guys. It makes me seem cool for a change
