The DNS protocol contains a command called AXFR which requests a so called ‘zone transfer’ where a nameserver sends you the complete content of one of its databases -meaning a list of all hosts and subdomains. Zone transfers are nowadays usually blocked. One of the reasons is that a zone transfer might give you interesting insights into a companies structure. An other issue is that the contents of the zone itself can be considered ’secret’ information of you see DNS not as an infrastructure service, but a speculation target.
Back in 1997 or so we did a lot of zone transfers for top-level domains to see what’s out there. But nowadays all TLD servers would have AXFR disabled for sure. Using a simple command line I checked:
curl http://svn.23.nu/svn/repos/ptt/databases/iso.txt \ http://svn.23.nu/svn/repos/ptt/databases/tlds.txt \ | sort -u | grep -v '#' | xargs -n 1 dig NS \ | grep -v ';;' | sort -u | grep -v 'SOA' | grep "NS" \ | perl -npe 's|(\S+).*NS\t(.*)|dig AXFR $1 \@$2|' \ | grep -v ';' | sort -ru > /dev/null | sh | tee axfr.txt
It turns out a lot TLDs allow AXFR. I was able to get the zone contents for the following 78 TLDs:
ad, af, ag, al, an, ao, aq, ba, bf, bg, bi, bj, bm, bn, br, bs, bt, cl, cm, cv, cx, es, fm, gb, gs, in, kh, km, kn, ky, kz, lc, lk, ma, mc, mn, ms, mu, museum, mz, na, ne, ng, ni, np, oz.au, pe, pg, pk, pn, py, sg, sj, sk, sm, sn, sr, st, sz, tc, td, th, tj, tl, tm, to, tr, tt, ua, ug, uk, uy, uz, ve, vg, vi, ye, za, zw.
All in all that where 613132 domain names. The bold TLDs are the ones which contained lots of them.
Is there a issue? Should TLD operators give out all of there records? Is there a privacy issue?
some of the more interesting ones:
gb. TXT "Domain names for United Kingdom go under .uk" gb. TXT "For details see the web page on: www.nic.uk" gb. TXT "This domain is frozen and will be phased out"
Lacoste an educational Institution?
lacoste.edu.lk. TXT "La Chemise Lacoste"
In BN nobody except the crownprince and the royal wedding are allowed to have their own domains.
Some people are actually using the HINFO resource record:
ns.ni. HINFO "PENTIUM III" "LINUX 2.0"
And then there are lots of entries I really don’t understand like:
1-062005-dns-xml-withwebforwarding-url-mask.GS
Let’s see what are the most popular domainnames. If we leave out things like nic etc. we get this:
86 pwc 79 pricewaterhousecoopers 79 ciscosystems 78 cisco 72 toshiba 70 fujitsu 69 epson 66 shell 65 canon 64 rolex 63 microsoft 61 mastercard 60 register 60 hotmail 59 yahoo 59 creditsuisse 58 xboxlive 58 verizon 58 nissan 57 whirlpool 57 sms 57 kitchenaid 57 credit-suisse 57 bankofamerica 57 amazon 57 3m 56 visa 56 msn 56 morganstanley 55 xbox 55 walmart 55 walmart 55 sams-club 55 sams 55 discovery 55 bmw 55 3mcompany 54 wal-mart 54 tonline 54 tcom 54 t-online 54 sun 54 sony 54 samsclub 54 hitachi 54 google 53 t-systems 53 t-mobile 53 t-com 53 morgan-stanley 52 tsystems 52 tmobile 52 syngenta 52 philips 52 nokia 52 emc 52 deutschetelekom 52 deutsche-telekom 51 walmartstores 51 wallmart 51 wal-martstores 51 volvo 51 royaldutchshell 51 rolls-royce 51 expedia 51 discoverychannel 51 cnn 50 thawte 50 telekom 50 sprint 49 tgroup 49 t-group 49 samsclubs 49 sams-clubs 49 rollsroyce
Does this mean PriceWaterhouseCoopers ist the most global comany, because it’s name is registered in the most TLDs?