DNS Zone Transfer

DNS Zone transfer is when a DNS server is incorrectly configured to allow any one to ask for a DNS list of a certain domain. I wanted to find a specific example of a Zone transfer that had internal IP's on the transfer after nmaping ranges for port 53 I found one. Now you need to know the domain name in order to do the transfer and not a lot of people have Reverse DNS so I got lucky finding one that had both port 53 and 25 open. To find the name I telnet to port 25 and do a Helo request, on this one I did not need to do a Helo

C:\Users\Syrus>telnet **.192.22.105 25
220 rack1.*********.com ESMTP Postfix

Now to do the zone transfer the syntax is host -l domain name ip address or dns name of DNS server

bt ~ # host -l *********.com **.192.22.105
Using domain server:
Name: **.192.22.105
Address: **.192.22.105#53
Aliases:
*********.com has address **.192.22.105
*********.com name server ns1.*********.com.
internal.*********.com has address 192.168.60.254
internal2.*********.com has address 192.168.60.254
isc.*********.com has address **.203.105.185
isc-pi.*********.com has address **.203.105.185
mail.*********.com has address **.192.22.105
new.*********.com has address **.192.22.105
ns1.*********.com has address **.192.22.105
ns2.*********.com has address **.192.22.106
rack1.*********.com has address **.192.22.105
rack2.*********.com has address **.192.22.106
rack3.*********.com has address **.192.22.107
rack4.*********.com has address **.192.22.108
rack5.*********.com has address **.192.22.109
smtp.*********.com has address **.192.22.105

You have a good network map with some internal IP's go find some more that are vulnerable against Zone transfers.