Here is some background information on Zone Transfers.
"The data contained in an entire DNS zone may be sensitive in nature. Individually, DNS records are not sensitive, but if a malicious entity obtains a copy of the entire DNS zone for a domain, they may have a complete listing of all hosts in that domain"
This is essentially what we were able to pull down from this DNS server, but not just information from its domain but many other domains because it was authoritative for a whole bunch of domains.
Find out the name servers for a zone:
dig @server domain ns
Request all records for a zone from an authoritative server:
dig @server domain axfr
Use host to find all the host records for a zone:
host -l domain
Use host to request all the records for a zone:
host -lv -t any domain
this is what you usually see:
cg@segfault:~$ host -t ns really.vuln.edu
really.vuln.edu name server DNS1.really.vuln.edu.
really.vuln.edu name server DNS2.really.vuln.edu.
cg@segfault:~$ host -lv -t any really.vuln.edu DNS1.really.vuln.edu
Using domain server:
Host really.vuln.edu not found: 5(REFUSED)
; Transfer failed.
The (sanitized) screenshots above is what we got, about 3k internal IPs and hostnames :-)
Usage: dnswalk domain
domain MUST end with a '.'
cg@segfault:~$ dnswalk really.vuln.edu. DNS1.really.vuln.edu
Getting zone transfer of really.vuln.edu. from DNS1.really.vuln.edu...failed
FAIL: Zone transfer of really.vuln.edu. from DNS1.really.vuln.edu failed: Response code from server: REFUSED
Getting zone transfer of really.vuln.edu. from dns3.really.vuln.edu...done.
WARN: router-10.1.1.0.really.vuln.edu A 10.1.1.1: no PTR record
WARN: router_10.2.2.1.really.vuln.edu: invalid character(s) in name
WARN: router_10.3.19.1.really.vuln.edu A 10.115.197.1: no PTR record