Which command-line tool is commonly used to perform DNS zone transfers during security assessments?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

Which command-line tool is commonly used to perform DNS zone transfers during security assessments?

Explanation:
DNS zone transfers copy all records of a domain from a primary DNS server to its mirrors. In security assessments, you test whether such a transfer can be requested from an unauthorized machine, because if allowed, the attacker can obtain the entire zone data and map the target’s internal structure. The tool most commonly used to test this is DIG. It’s a flexible DNS query tool that can perform a zone transfer by requesting the AXFR record type. For example, you’d try something like: dig @ns.example.com example.com AXFR. If the server is misconfigured and allows AXFR to external hosts, you’ll receive the complete zone data. While NSLOOKUP can also perform AXFR queries, DIG is the go-to in practice due to its straightforward syntax and clear output. PING and Nmap aren’t used for this specific purpose.

DNS zone transfers copy all records of a domain from a primary DNS server to its mirrors. In security assessments, you test whether such a transfer can be requested from an unauthorized machine, because if allowed, the attacker can obtain the entire zone data and map the target’s internal structure.

The tool most commonly used to test this is DIG. It’s a flexible DNS query tool that can perform a zone transfer by requesting the AXFR record type. For example, you’d try something like: dig @ns.example.com example.com AXFR. If the server is misconfigured and allows AXFR to external hosts, you’ll receive the complete zone data. While NSLOOKUP can also perform AXFR queries, DIG is the go-to in practice due to its straightforward syntax and clear output. PING and Nmap aren’t used for this specific purpose.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy