Hello List,

Right now I am busy with another little project: it is a small search engine.

In order to discover more possible hosts to scan I am doing zone transfers from the name servers that still support the feature...
The syntax is like this: dig -t AXFR zone @nameserver

I have noticed the following:
1. Unsurprisingly, most NS no longer support AXFR, at least they do not serve zone transfers to outsiders - that is certainly expected in 2013. 2. For a given zone, it's not unusual to experience differences in behavior between the different NS. For example NS1.zone.tld may honor the AXFR request while NS2,3,4,5... will deny the request. Not surprising either, after all it should not be assumed that all the NS have the same configuration or even the same software/versions. I am also assuming that a NS that still allows AXFR is more an oversight or the result of an old config than a deliberate choice ;-) 3. I know that the behavior can be dictated by ACLs - sometimes the AXFR will be possible when the request was made from a certain IP range. 4. Now something more puzzling, I have noticed at least one NS that exhibits some sort of random behavior: it typically denies AXFR at the first attempt but after repeating the request five or seven times (more or less) it finally releases the zone data as requested... some days it is not in a good mood: after 20 tries it still says "No !" o:) So that depends. I am really wondering what makes a NS behave like that ?

Cheers,
Marjorie
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Reply via email to