“Identify how many zones exist on the target nameserver”
can be rephrased to
“focus on how many subdomains (or DNS zones) allow a zone transfer to occur”
for clarity.
basically my strategy of approaching to this specific question is to find the AXFR of the primary domain name which is given and then do it recursively on the A records found from the AXFR search.
Summary
awk '/IN\s+A/ {print $1}' <AXFR output from initial dig AXFR> | sort -u | while read subdomain; do
dig axfr $subdomain @$dns_server 2>&1
done
i don’t find this module easy at all lack of DNS knowledge and linux command proficiency. couldn’t even understand the question about the number of zones and the module didn’t help clarify what exactly were zones. i put the module aside and went to do other ones related to DNS, especially the DNS Enumeration using Python. that one clarified a lot. basically zones are logical separations that allow those separations to be administrated, well, separately. each zone requires a SOA (and maybe one nameserver?). so to get the number of zones we need to do the zone transfer for inlanefreight.htb through the TARGET (DNS), then we need to go through each response and see if they have themselves a SOA.
dig axfr inlanefreight.htb @TARGET does the zone transfer for inlanefreight.htb using the DNS (TARGET)
grep inlanefreight catch only the lines that have a domain in it
awk '$1 ~ /^[[:alpha::]]/ {print $1}' only prints the first column that starts by an alpha character (bye bye semicolons)
xargs -I % nslookup -query=soa % TARGET does an nslookup with the result printed by awk
that’ll print the result of the SOA query from nslookup. we see that for most of them there’s none, except for two: inlanefreight.htb and internal.inlanefreight.htb.
i had no much understanding of DNS and even tho i kinda new the linux commands i’ve never used them properly in the past, so that required a few hours of research. good fun.
nslookup -query=AXFR inlanefreight.htb ns.inlanefreight.htb | grep Name | cut -d':' -f 2 | while read -r line; do nslookup -query=AXFR $line ns.inlanefreight.htb; done
Tries to do an authoritative zone transfer on all subdomains got.
After this, you can get all answers you need in the output. For count the A records, you need to add the two zones together. grep Name: | wc -l could be useful.
Reverse DNS lookup seems doesn’t work. You might need to find the FQDNs by yourself.
If you like, you don’t need to change your host file as said by above posts. Just using the name server’s IP is fine.
Late reply but thought I would answer in case anyone else needed help. Yes I believe the SOA record indicates the start of a new zone and is the authoritative source for that zone. Therefore out of all of the domains/subdomains there are only two with an SOA record.
Add the given IP address, which is running as a local DNS server to the /etc/hosts and run the axfr command dig axfr inlanefreight.htb @{the_given_ip_address}