如果zone允許zone transfer的話,可以使用dig來砍下整個zone
指令
# dig AXFR example.com. @192.168.0.1
example.com. 是你要砍下的zone
192.168.0.1 是你目的的dns
測試
# dig AXFR example.com. @192.168.0.1
成功案例
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> AXFR example.com. @192.168.0.1
;; global options: +cmd
ccsh.example.com. 86400 IN SOA example.com. user.example.com. 2022042601 36000 3600 2592000 43200
ccsh.example.com. 86400 IN TXT "google-site-verification=JHJQ71uCcMVMbRJv7dKl0n"
ccsh.example.com. 86400 IN TXT "MS=10A14B281346B90C2BF3C0C07A"
... 以下略
;; global options: +cmd
ccsh.example.com. 86400 IN SOA example.com. user.example.com. 2022042601 36000 3600 2592000 43200
ccsh.example.com. 86400 IN TXT "google-site-verification=JHJQ71uCcMVMbRJv7dKl0n"
ccsh.example.com. 86400 IN TXT "MS=10A14B281346B90C2BF3C0C07A"
... 以下略
失敗案例
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> AXFR example.com. @192.168.0.1
;; global options: +cmd
; Transfer failed.
;; global options: +cmd
; Transfer failed.
防止別人zone transfer
bind 預設是默許,在 options加下一行:
options {
allow-transfer { none; };
}
allow-transfer { none; };
}
參考資料
[1] https://help.dyn.com/use-dig-to-download-zone-data/