π‘οΈ Methodology Checklist
- Find all authoritative NS servers:
dig NS [DOMAIN] - Attempt AXFR against each NS:
dig axfr [DOMAIN] @[NS_IP] - Attempt AXFR via nslookup:
nslookup -type=any -query=AXFR [DOMAIN] [NS_IP] - Attempt with host:
host -l [DOMAIN] [NS_IP] - Parse zone file output for internal hostnames and IPs
- Identify jump hosts, management interfaces, dev/staging systems
- If transfer denied: fall back to brute-force enumeration
π― Operational Context
Think Dumber First: Try AXFR against every NS server in the
dig NSoutput β secondaries often have weaker ACLs than the primary. A single successful zone transfer replaces hours of subdomain brute-forcing and reveals internal IP allocations, dev/staging hostnames, and sometimes internal service DNS entries.
When you land here: NS servers enumerated from dig NS [DOMAIN]. Attempt AXFR against each IP individually. host -l [DOMAIN] [NS_IP] is an alternative if dig fails. Document all subdomains and IPs from the zone dump for further targeting.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
dig ns [DOMAIN] @[TARGET_IP] | Step 1: Identify the nameserver |
dig axfr [DOMAIN] @[TARGET_IP] | Step 2: Execute zone transfer |
dig axfr [DOMAIN] @[TARGET_IP] | grep -v ';' | wc -l | Count total DNS records |
dig axfr [DOMAIN] @[TARGET_IP] | grep "ftp" | Find FTP host in zone |
dig axfr [DOMAIN] @[TARGET_IP] | grep "10.10.200" | sort -V | Find all hosts in subnet, sorted |
dig axfr [INTERNAL_DOMAIN] @[TARGET_IP] | Zone transfer on internal/sub-zones |
π¬ Deep Dive & Workflow
What Is a Zone Transfer?
A DNS Zone Transfer (AXFR) is how secondary DNS servers download a complete copy of a zone from the primary. If misconfigured (allow-transfer = any), an attacker can request this copy and get a complete map of all subdomains, IPs, and internal hostnames.
Attack Workflow
- Identify the Nameserver β
dig ns [DOMAIN] @[TARGET_IP] - Execute transfer β
dig axfr [DOMAIN] @[TARGET_IP] - If internal zone discovered (e.g.,
internal.target.htb) β repeat AXFR against it
HTB Lab Context
In HTB environments, the nameserver is usually the Target IP directly.
Grep Patterns for Common Questions
# Count records
dig axfr [DOMAIN] @[TARGET_IP] | grep -v ';' | wc -l
# Find specific service
dig axfr [DOMAIN] @[TARGET_IP] | grep "ftp"
dig axfr [DOMAIN] @[TARGET_IP] | grep "mail"
# Find hosts in subnet, version-sorted
dig axfr [DOMAIN] @[TARGET_IP] | grep "10.10.200" | sort -VMisconfiguration That Enables This
# named.conf (Bind9)
allow-transfer { any; }; # Exposes zone to anyone
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| AXFR refused on all nameservers | Transfer restricted by source IP ACL | Try from a different source IP; use host -l [DOMAIN] [NS_IP] as alternative; try gobuster/dnsx for brute-force fallback |
dig axfr returns partial zone then errors | Large zone exceeds UDP limits mid-transfer | Force TCP: dig axfr [DOMAIN] @[NS_IP] +tcp; pipe to file immediately with > zone.txt |
| Zone transfer succeeds but many records duplicate | Multiple NS servers have overlapping zones | Deduplicate: sort -u zone.txt; compare records across servers for discrepancies |
| Host -l returns βHost not found: 3(NXDOMAIN)β | Wrong domain name or NS IP | Verify NS IP with dig NS [DOMAIN] +short; confirm the NS is authoritative not recursive |
| gobuster dns finds nothing despite zone transfer showing subdomains | Wordlist missing the specific subdomains | Parse zone dump directly: grep 'IN.*A' zone.txt | awk '{print $1}' |
π Reporting Trigger
Finding Title: DNS Zone Transfer Enabled (AXFR Misconfiguration)
Impact: Complete internal network topology disclosure β all internal hostnames, IPs, and service names exposed without authentication. Eliminates reconnaissance burden for attackers.
Root Cause: DNS server allow-transfer directive not configured; AXFR accepted from any source IP.
Recommendation: Restrict zone transfers to authorized IPs only (allow-transfer { [SECONDARY_IP]; }; in BIND). Implement TSIG key authentication for zone replication. Audit all NS servers β secondary servers frequently have weaker controls than primary.