I have a question about dns servers.I was under impression that it is
not posible to see list of all domains some dns server is responsable
for.Basically I thought that dns servers don't list all their zones to
anybody who request it.Then I found tool on domaintools.com called dns
server spy and it seems to do just that.It list all of my domains (
zone files ) which are on my dns server.How is this posible ? What
kind of query dns server spy sends to dns server to get this info ? As
its not normal dns query,and its not zone transfer,because in all
these queries domain name ( zone name ) is required.Also I am
wondering how to prevent this from happening

---

Clarification of Question by pua4life-ga on 19 Sep 2006 20:58 PDT

Or is there some other method this tool ( dns server spy ) works ?
Maybe it doesn't querry my dns server directly ? If not,how it knows
all of domains name which my server is authoritative for ?

---

Request for Question Clarification by keystroke-ga on 20 Sep 2006 15:53 PDT

Hello pua4life,

Have you tried running a network sniffer on the machine that is
performing the DNS query?
Also try running the domain tools software on a machine that is not
connected to the domain. This way it will ensure it is classed as a
rogue PC.

My initial reaction is that it is a Zone transfer, you have not
secured your Zone transfer IP addesses and have a default windows 2000
setup whereby zone transfers are not secure by default. Also, the
initial domain name can be received from the local host so this could
be used to obtain your SOA.

Also try using NSLOOKUP

START -> Run

Type "CMD"

then type

NSLOOKUP

then type

"ls yourdomain.com"

If you get the following

"> ls mydomain.com
[localhost]
*** Can't list domain mydomain.com Non-existent domain
The DNS server refused to transfer the zone mydomain.com to your computer.
If this
is incorrect, check the zone transfer security settings for mydomain.com on
the DNS
server at IP address 127.0.0.1."

This will show you if you have zone transfers enabled.

You may also be able to play with the nslookup command to find out if
the software is just a nice interface for nslookup

http://support.microsoft.com/kb/200525/

Once you have tried the network sniffer and checked the Zone transfers
let me know what you find out, and if that works to solve your
problem.

--Keystroke-ga

Hello pua4life,

Try running a network sniffer on the machine that is
performing the DNS query.
Also try running the domain tools software on a machine that is not
connected to the domain. This way it will ensure it is classed as a
rogue PC.

My initial reaction is that it is a Zone transfer, you have not
secured your Zone transfer IP addesses and have a default windows 2000
setup whereby zone transfers are not secure by default. Also, the
initial domain name can be received from the local host so this could
be used to obtain your SOA.

Also try using NSLOOKUP

START -> Run

Type "CMD"

then type

NSLOOKUP

then type

"ls yourdomain.com"

If you get the following

"> ls mydomain.com
[localhost]
*** Can't list domain mydomain.com Non-existent domain
The DNS server refused to transfer the zone mydomain.com to your computer.
If this
is incorrect, check the zone transfer security settings for mydomain.com on
the DNS
server at IP address 127.0.0.1."

This will show you if you have zone transfers enabled.

You may also be able to play with the nslookup command to find out if
the software is just a nice interface for nslookup

http://support.microsoft.com/kb/200525/

Once you have tried the network sniffer and checked the Zone transfers
let me know what you find out, and if that works to solve your
problem.

--Keystroke-ga

Your DNS don't list all the zones it hosts. But theses websites do
scan many websites, and have very large database. Therefore they're
able to tell what DNS servers zones have, and going reverse (tell what
zones a single DNS host).

If it is an internal domain, from the sounds of it, it is, your
reverse DNS thought falls flat on its face.

usrhlp