I know that it's probably (no longer) possible because of abuse, but I want to check nonetheless. Is there a way for me to obtain the company zone file for a domain myself, without having to contact the people who host the DNS for that domain?
Is there a way to get the complete zone file for a domain, without getting it from the company that hosts the DNS for that specific domain?
You can try to initiate a zone transfer.
You are right though, no sanely configured DNS server should still allow this nowadays. Not just because as a zone admin you don't want to expose your internals but also because AXFR responses are way bigger than the queries, so they prove to be an excellent way for DoS reflection attacks as a <100 bytes spoofable UDP package can make a server send multiple KB of response to any machine on the internet.
If you still want to try:
In the nslookup utility, you can use ls [name of domain] to get the zone information.
And if you prefer dig, then you can use
dig @dns.example.com example.com -t AXFR
Though as I said, it probably won't work for you.
I'm not sure if this is exactly what you're looking for however Network-Tools.com solved my problem of wanting to see all the DNS records in the Zone file on a given nameserver:
Since your usual DNS queries are non-wildcard, your only options are:
Hacking the server and just getting the config file usually is not an option, neither is eavesdropping on the zone transfers to the secondary/backup servers. Apart from those, there is no instance knowing all possible subdomains.
Options for getting incomplete lists:
Also keep in mind some zone files do have wildcards themselves, so *.example.com might give you the address(es) of a web dispatcher configured to handle web1.example.com, sales.example.com, etc. differently. This works with all protocols which use the hostname not only in the IP-level but also in the application data stream. (e.g. name based virtual hosting for http)
The Internet Corporation for Assigned Names and Numbers (ICANN) created a handy service called the Centralized Zone Data Service (CZDS) which supports retrieval of complete zonefiles for selected domains.
The Centralized Zone Data Service (CZDS) is an online portal where any interested party can request access to the Zone Files provided by participating generic Top-Level Domains (gTLDs).
Zone file access provides anticrime organizations, businesses, cybersecurity professionals, law enforcement, and researchers with a means to download the entire zone file "in bulk." These organizations apply the bulk zone data to combat phishing, spam, brand and trademark infringements, and other malicious uses of domains.
I know this is a dated question, but I located the following website to obtain this information after stumbling across this question/answer: UltraTools Zone File Dump
In my testing, it was able to provide me with the information I required.
I've had a similar demand - to check for a domain transfer capabilities on multiple domains with one shot. I've created a web-based tool that allows a domain list (or URLs list) as an input. Additionally all successful transfers are archived so that You would be able to see if domain zone content changes overtime.
The project is a freeware hosted on github here: Medved
A bit longer descriptipn is available at my blog.
This is how it looks like:
Basically You just supply the list of comma-separated list of domains to check and hit a button Analyze. Each domain will have a separate result section with separate tab for each NS server. Green color of server name will indicate a successful transfer. Orange indicate that most probably the TCP port 53 is closed on a remote host (TCP is required for domain transfers). Red server name color indicates that server actively refuses the domain transfers - that means it is properly configured.
The tool has a bit more useful features that are described in detail in the help section:
Mail exchangers, SPF, and others
Although it seems obvious, I find the hardest part about moving a domain is usually something related to the email setup. To this end, maybe it would help to know about the ANY, TXT, MX and SOA options in dig, as I didn't see this mentioned as yet by anyone. While I wouldn't recommend anything other than getting the zone-file straight from the horses mouth, if you are in desperado mode and feel the need for speed you might wanna try mx, soa, txt, and any options, but you will miss all sub-domains in my case it is not obvious to discover the sub-domain lists.triptonites.com which requires mail service.
Notice how the following all give slightly different info that is not obvious
dig any triptonites.com # mite not work
dig mx triptonites.com # for email to work
dig soa triptonites.com # for email abuse / admin
dig txt triptonites.com # for SPF authentication / anti-spam
dig any lists.triptonites.com # shows RFC8482 warning sometimes / always
dig mx lists.triptonites.com # etc as above it shows you'd likely miss records trying to hack this info out
dig soa lists.triptonites.com
dig txt lists.triptonites.com
These all give useful info that could get missed from a casual hack using nslookup and dig etc.
Also, I did it too many times and the server gave an abuse response:
lists.triptonites.com. 3789 IN HINFO "RFC8482" ""
This is another sign this approach is a bit wrong/risky, it's not the correct reply, it's a message about minimal replies and that I should try these using mx, txt and soa instead of any.
