Information Gathering - Web Edition | Active Subdomain Enumeration

Hello, I’m having some trouble understanding the logic behind zone transfers, or at least, I don’t understand the logic behind the way we do it in the HTB boxes.

To my understanding, zone transfer is a way to secondary name servers keep their records updated from the primary name server and if it is misconfigured we can also access those records.

According to the way they describe it in the module and how describes it, and using their example:

  • 1st you query for the zone’s nameserver
    nslookup -type=NS

  • 2nd you query for axfr to the name server you obtained in the first step
    nslookup -type=any -query=AXFR

However when “attacking” these targets that doesn´t work and I end up using the following:

$ nslookup -type=any -querytype=AXFR inlanefreight.htb $IP

intstead of using the nameserver i got earlier, in the 1st step. And the same for the other zone I found.
I don’t understand why we keep using the same server ($IP) over and over again instead of the nameserver itself.

I really could use an explanation why it works different in these scenarios cause i left the Footprinting module with the same question and I still can understand it :).


What do you mean by:

Do you mean’s nameserver or inlanefreight.htb nameserver?

I mean inlanefreight.htb’s nameserver. Cause shouldn’t the axfr query be done to the nameserver of that zone?

Because the nameserver we get in the previews query was the following:

└─$ nslookup -type=NS inlanefreight.htb $IP        

inlanefreight.htb       nameserver = ns.inlanefreight.htb.

And if I understood it correctly my query should be directed to that server cause that one is the one who holds the dns records.

Oh! I think I see where you are hung up. You are wondering why you cannot just substitute ns.inlanefreight.htb for $IP?


btw i finished that section i just don’t really get the logic behind it.

No worries, it is important to learn. You are not alone, I have gotten this question a million times in a million different forms.

It has to do with how Linux handles DNS requests. When you try to query the nameserver by its name instead of its IP, Linux goes through the lookup process which(don’t quote me):

  1. Checks the /etc/hosts file for the name/IP combo.
  2. Checks the /etc/resolv.conf file for nameservers to query.
    3. In the /etc/resolv.conf file I believe it checks the first nameserver it finds. So if you were to edit it with the IP address of the target machine: nameserver in your case, it would work with just the name.

With the setup they have, is the first nameserver entry in resolv.conf. So when Linux queries that nameserver for the inlanefreight.htb DNS info it really doesn’t have anything to tell you.

1 Like

I was experimenting a bit with using the target machine as the nameserver in /etc/resolv.conf and i understood it!

Thx for your time and explanation :slight_smile:

1 Like