Looking for help with dig and dns

[decepticon_eazy_e]

I'm looking for help running tests against DNS servers. I want to list all the subdomains for a specific domain. So I try to use the dig command with axfr and it fails every time.

dig @ns.SOA.com somedomain.com axfr

Am I doing it wrong or are modern dns servers hardened and no longer accept this query? Is there a better way to do this? For example, so I build a dns server and try to replicate records to query? Would the axfr command be accepted if it came from a dns server? If so, what is the 'check' that I would be passing, so I could spoof it.

Next DNS question along the same lines, I want to do reverse dns lookups. It also seems that all the DNS servers I tried don't accept this, which is the proper behavior after hardening. However we all know, not EVERYBODY does the proper settings and there is always somebody out there with some default settings. Are the queries wrong or am I just not finding a server that allows reverse dns? Anyone know of some servers that accept reverse dns?

Anyone know a good resource to find these one in a million dns servers?

[digip]

Properly configured DNS servers, do NOT have to list subdomains, and by default, security wise, thats what we call domain transfers, and if they DO return all the subdomain names, than its considered a security issue. NSLOOKUP is pretty much the same thing, but DIG can sometimes get some more info out of the servers. Hak5.org used to allow entire domain name transfers, and show all the subdomains. Not sure if it still does, but I think Digininja purposely has a server setup for people to test against. Search his name + dns in the forums for the link, or go to his site to see if he has links.

The other way to do it, is 1, nmap dns scanning, or 2 bruteforcing names to IP addresses for a main domain.

Edited May 13, 2013 by digip