Want to get a list of all the ip addresses as well as aliases assigned within a domain. You can grab that information if the DNS server allows zone transfers. The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented.

You do not have to have DNS to request a zone transfer. You can issue a zone transfer request using the nslookup client which is a standard part of unix, NT, Windows 2000 and XP. To dump the DNS records from your current domain, lets says, its wayne.net:

Type nslookup at the commandline (NT example). This starts nslookup in interactive mode. It will respond with the name and ip address of your default DNS server:

Default Server: dns01.wayne.net
Address: 10.10.10.1
>

To get a list of commands available, type set all. For the more important set options:

set d2 : puts nslookup in debug mode, so you can examine query and response packets between the resolver and server
set domain=<domain name> : tells the resolver which domain name to append to queries not FQDN
set timeout=<timeoutdurationinseconds> : for slow links
set type=<recordtype> : which type of records to search for ( A, PTR, SRV, or ALL)

You can get help at the nslookup command prompt by typing:

> help

To dump all available records, assuming zone transfers are enabled, issue the following commands:

> set type=any
> ls -d wayne.net > dns.wayne.net
> exit

The ls -d wayne.net command requested all records for the domain be dumped in a file named "dns.wayne.net". Open up dns.wayne.net and see what goodies you can find. If dns1 is not authoritative for the domain, you can change which DNS server you wish to dump records using the command:

> server 10.10.10.2

Default Server: dns02.wayne.net
Address: 10.10.10.2 >

If successful, the dump file will have lines such as:

> ls -d wayne.net
[dns1.wayne.net]
wayne.net. SOA dns04.wayne.net wayne.dns04.wayne.net. (3301 10800 3600 604800 86400)
wayne.net. NS dns04.wayne.net
wayne.net. NS dns02.wayne.net
wayne.net. NS dns01.wayne.net
wayne.net. NS dns05.wayne.net
wayne.net. MX 10 email.wayne.net
rsmithpc TXT "smith, robert payments 214-389-xxxx"

rsmithpc A 10.10.10.21
wmaplespc TXT "Waynes PC"

wmaplespc A 10.10.10.10
wayne CNAME wmaplespc.wayne.net

You can see from the bits above, that there are multiple dns servers, that there is a email pop3 server, what my ip address is, ...

Lots of goodies particularly if the DNS admins put in "good" comments. Might be useful info for social engineering if the comments include phone numbers.

The ls -d command, emulates a zone transfer. You can also get a listing by using the ls -t to get a list of the members of a domain.

For DNS info see The DNS Place.