Find all records in DNS zone without zone transfer enabled

domain-name-system

No, there is no method for doing this. This is specifically why Zone transfer is to be disabled to untrusted DNS peers - To prevent discovery of the entire DNS topology.


Chris Thorpe and einstieen are right in 99.99 % of the cases. There is no way.

In very rare cases, there is another method: NSEC walking. If the zone is signed with DNSSEC (something that will be more and more common now that the root is signed), and if it is signed with NSEC, not NSEC3, and if there is no rate-limiting in place, you may walk the entire zone. See an explanation and implementation. (There is an alternative implementation using ldns).


I'm 99% certain there isn't a way. I've actually made an argument on here against AXFR for this very reason. The only thing I can think of is brute forcing it, but that may seem a little cumbersome and unnecessary depending on why you need to.

Related

What's better for performance: rack-to-endpoint or rack-to-switch-to-endpoint
How can I force Apache to not set cookies for subdomain?
Best way to 'harden' embedded ext4 file server against unexpected loss of power?
How to protect an OS X Server from an unauthorized physical connection?
How to dump multiple subversion repositories at once on various OSs
Distinction between Cloud Servers and VPS
OpenJDK vs. Sun Java6 on Ubuntu
Penetration testing - common examples?
Is it "OK" to use a low end NIC for a dedicated heart beat between two servers?
Published software not displayed in Add/Remove Programs
Puppet causes endless restarts of CUPS (how does one prevent this)
Any security tips for my first server? (complete beginner) [closed]