How can I test if a DNS Server is vulnerable to zone transfers with its IP?
How can I check if a DNS Server (let's say a DNS Server inside a private network) is vulnerable to zone transfer attacks when I only have its IP?
I do not have any domain names. I see all these tools like dig, dnsenum, fierce and so on using a domain as a parameter and I do not know which domain I should use as a parameter when the only thing I have is the DNS server IP.
First of all, if you are inside the local network that shouldn't be hard to figure out a domain. If you are connected with DHCP have a look at the DNS suffix(es) registered for the connection. It could be something like the company name + .com.
A tool like nslookup can help you too. Request the PTR lookup for the IP address, or use
dig -x. You should get a fully qualified host name in return, then you have a domain name.
One way to investigate further is to use a sniffer like Wireshark or tcpdump and sniff the traffic going from and to the server, and you'll quickly find out what DNS requests are sent to that name server.
What you need to know is that the name server may be authoritative for several zones. And each zone may have a different configuration. Thus it is possible that the name server will honor zone transfer requests for some zones and not for others. So you should test them one by one.
Another important point to keep in mind is the IP address of the client. A local IP address may very well be trusted for that purpose whereas a non-local address would not.
Generally speaking, nowadays most name servers are configured not to allow zone transfers to outside entities. But again, local addresses may enjoy more permissive ACLs.
Also, it is not rare for corporations to use a local domain like .local or a subdomain connected to the active directory, or have a split horizon setup.