正如其他人所说,您想要的是所谓的区域转移。 如果它是您自己的域,您可以配置 DNS 服务器以将其提供给您。 如果它用于其他域,您可能无法理解它,因为大多数 DNS 管理员认为它是安全威胁。
即使单个记录不是问题(这就是 DNS 的问题),如果邪恶的人获得了您所有记录的列表,也可能会成为问题:它可以简化攻击。
Like others have said, what you want is a so called zone-transfer. If it is your own domain you can configure the DNS server to give it to you. If it is for some other domain you probably don't get it, since most DNS-admins consider it a security threat.
Even if an individual record isn't a problem (thats what the DNS it therefore) it could be a problem if an evil person gets a list of all your records: It could simplify an attack.
www IN CNAME domain.com.
subdomain1 IN CNAME domain.com.
subdomain2 IN CNAME domain.com.
subdomain1 IN A 123.4.56.78.
subdomain2 IN A 123.4.56.79.
您不能在同一实体中混合 CNAME 记录和其他 RRtypes
A 记录中的尾随点无效
最好不要使用 CNAME 返回 WWW 记录的域
您需要:(
$ORIGIN domain.com
@ IN SOA ...
IN A 123.4.56.78
www IN A 123.4.56.78
sub1 IN A 123.4.56.79
其中 < code>sub1.domain.com 是隐藏站点)
Preventing zone-transfers is a function of the server administration, and as others have said is typically disabled these days for security reasons.
When the time comes to add DNSSEC, make sure you use the new NSEC3 format records (from RFC 5155) rather than the original NSEC format as the latter allows for zone enumeration.
Note that preventing zone enumeration really is just security-via-obscurity. If someone finds your subdomain you'll still need additional security at the application layer.
As for your example records:
www IN CNAME domain.com.
subdomain1 IN CNAME domain.com.
subdomain2 IN CNAME domain.com.
subdomain1 IN A 123.4.56.78.
subdomain2 IN A 123.4.56.79.
You can't mix CNAME records and other RRtypes in the same entity
The trailing dots in the A records are invalid
It's best not to use a CNAME back to the domain for the WWW record
You need:
$ORIGIN domain.com
@ IN SOA ...
IN A 123.4.56.78
www IN A 123.4.56.78
sub1 IN A 123.4.56.79
15 oct. I`m have modified my tool. Now it checks first 6 name servers for zone transfers and, if no one allow zone transfers, uses search engeines Reverse lookup and subdomains search
发布评论
评论(5)
正如其他人所说,您想要的是所谓的区域转移。 如果它是您自己的域,您可以配置 DNS 服务器以将其提供给您。 如果它用于其他域,您可能无法理解它,因为大多数 DNS 管理员认为它是安全威胁。
即使单个记录不是问题(这就是 DNS 的问题),如果邪恶的人获得了您所有记录的列表,也可能会成为问题:它可以简化攻击。
Like others have said, what you want is a so called zone-transfer. If it is your own domain you can configure the DNS server to give it to you. If it is for some other domain you probably don't get it, since most DNS-admins consider it a security threat.
Even if an individual record isn't a problem (thats what the DNS it therefore) it could be a problem if an evil person gets a list of all your records: It could simplify an attack.
使用区域传输,即:
(在nslookup中)
ls -d google.com
如果您有自己的DNS服务器,则会有区域传输安全设置(通常通过IP)。 否则,只需尝试一下,看看是否有效。
Using zone transfer, i.e.:
(in nslookup)
ls -d google.com
If you have your own DNS server, there will be zone transfer security settings (usually by IP). Otherwise, just try it and see if it works.
防止区域传输是服务器管理的一项功能,正如其他人所说,现在出于安全原因通常被禁用。
当需要添加 DNSSEC 时,请确保使用新的
NSEC3
格式记录(来自 RFC 5155)而不是原始的NSEC
格式,因为后者允许区域枚举。请注意,防止区域枚举实际上只是通过模糊来实现安全。 如果有人找到您的子域,您仍然需要应用程序层的额外安全性。
至于您的示例记录:
您需要:(
其中 < code>sub1.domain.com 是隐藏站点)
Preventing zone-transfers is a function of the server administration, and as others have said is typically disabled these days for security reasons.
When the time comes to add DNSSEC, make sure you use the new
NSEC3
format records (from RFC 5155) rather than the originalNSEC
format as the latter allows for zone enumeration.Note that preventing zone enumeration really is just security-via-obscurity. If someone finds your subdomain you'll still need additional security at the application layer.
As for your example records:
You need:
(where
sub1.domain.com
is the hidden site)过去可以通过以下方式实现:
It used to be possible with:
如果名称服务器允许区域传输,您可以使用此页面 http://www.magic-net .info/dns-lookup.dnslookup 查找给定区域中的所有子域。
10 月 15 日 我已经修改了我的工具。 现在,它会检查前 6 个名称服务器的区域传输,如果没有人允许区域传输,则使用搜索引擎 反向查找和子域搜索
If name servers allow zone transfers you can use this page http://www.magic-net.info/dns-lookup.dnslookup to find all subdomains in given zone.
15 oct. I`m have modified my tool. Now it checks first 6 name servers for zone transfers and, if no one allow zone transfers, uses search engeines Reverse lookup and subdomains search