Sometimes a situation pops up where I need to retrieve the contents of a DNS zone but do not have access to the DNS servers. This is typically a situation where a client’s IT person is no longer available and before moving the name servers, we need to recreate the DNS zone on our name servers. If the current host of the DNS zone cannot release the records, we have a few options.
1. Try a zone transfer. I previously wrote about this. This is highly unlikely to work, but if the DNS server is poorly configured, it’s a possibility. This works rarely but if it does work will be the most accurate.
dig -t AXFR @dns.server.domains.is.on.com domain.name.to.dump.com
2. Brute force the zone. It sounds bad, but the reality of it is that most sysadmins don’t log or throttle DNS requests, and therefore with a decent enough dictionary of words it is possible to enumerate a large majority of the dns zone. I have mirrored the zip file containing bfdomain and the dictionaries here. (original source)
python bfdomain.py domain-to-test.com dictionaries/hostnames-big.txt
[*]-Using dictionairy: dictionaries/hostnames-lite.txt (Loaded 1399 words) |-mail (line: 690) ==> ('mail.domain-to-test.com', , ['18.104.22.168']) |-webmail (line: 1294) ==> ('webmail.domain-to-test.com', , ['22.214.171.124']) |-welcome (line: 1311) ==> ('welcome.domain-to-test.com', , ['126.96.36.199']) |-www (line: 1362) ==> ('domain-to-test.com', ['www.domain-to-test.com'], ['188.8.131.52']) [*]-Total assets found: 4
UPDATE: One other thing that I noticed later on is the fact that this is seemingly only capturing A records, so things like the MX record would not be tried. The python script could be modified easily to add this functionality. Also, the nmap version of this may already do this.
More dictionaries and wordlists: