What is the difference between zone walking and zone transfer?

A zone transfer (AXFR) is a protocol mechanism where a server sends the entire zone file at once. Zone walking is a technique that follows NSEC record chains one name at a time to enumerate the zone. Zone transfers can be restricted with ACLs, but NSEC records are public by design and cannot be restricted — NSEC3 makes it harder but does not eliminate the risk entirely.

Does NSEC3 completely prevent zone enumeration?

No. NSEC3 is a deterrent, not a complete prevention. It makes zone walking significantly harder by hashing domain names, but those hashes can be cracked with enough computational effort and a good dictionary. The hash algorithm, salt, and iteration count are all public in the NSEC3PARAM record, so an attacker can hash candidate names offline and compare them. Common subdomain names like www, mail, api, and staging are trivial to crack. GPU-accelerated tools like nsec3map and hashcat make this practical even at scale.

Should I disable DNSSEC to prevent zone walking?

Generally no. The security benefits of DNSSEC (preventing cache poisoning and response tampering) outweigh the information disclosure risk. The correct approach is to use NSEC3 instead of NSEC, which preserves DNSSEC protections while making zone walking significantly more difficult — though not impossible for determined attackers.

How can I tell if my zone uses NSEC or NSEC3?

Query for a name that does not exist in your zone with the +dnssec flag: dig nonexistent.yourdomain.com A +dnssec. Look at the authority section of the response. If you see NSEC records with readable domain names, you are using NSEC and your zone is trivially walkable. If you see NSEC3 records with hashed strings, you are using the harder-to-walk variant — but remember that NSEC3 hashes can still be cracked.

What is the difference between zone walking subdomains and zone walking a TLD?

This article covers zone walking at the subdomain level — discovering names like admin.example.com within a single domain's zone. Zone walking can also be applied to TLD zones (like .com or .eu) to discover registered second-level domains. TLD zone walking is a separate topic covered in our article on DNS Zone Walking at the TLD Level.

DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains

DNS zone walking is a reconnaissance technique that exploits DNSSEC's NSEC (Next Secure) records to systematically enumerate every name in a DNS zone. NSEC records were designed to provide authenticated denial of existence — proof that a queried name does not exist — but their implementation creates a linked chain that reveals all names in the zone. An attacker can follow this chain to discover every subdomain without needing to brute-force or guess names.

This is one of those cases where a security feature (DNSSEC) introduced a new information disclosure vulnerability. Understanding it is important for anyone who has enabled DNSSEC or is considering it.

How NSEC Records Work

When DNSSEC was first designed, it needed a way to prove that a domain name does not exist. Without this, an attacker could forge a "name does not exist" (NXDOMAIN) response and deny access to legitimate domains.

The solution was NSEC records. An NSEC record for a name points to the next existing name in the zone, sorted alphabetically. This creates a chain:

alpha.example.com → NSEC → beta.example.com
beta.example.com  → NSEC → gamma.example.com
gamma.example.com → NSEC → alpha.example.com (wraps around)

When a resolver queries for a name that does not exist — say bbb.example.com — the authoritative server returns the NSEC record for beta.example.com, which says "the next name after beta is gamma." This proves there is nothing between beta and gamma, so bbb.example.com genuinely does not exist.

The problem is obvious: each NSEC record reveals the next name in the zone. Follow the chain from the beginning, and you discover every name.

How Zone Walking Works

The attack is straightforward:

Query for the zone apex: dig example.com NSEC
The response includes the next name in the zone, say admin.example.com
Query for admin.example.com NSEC
The response includes the next name: api.example.com
Continue until the chain wraps back to the beginning

# Start the walk
dig example.com NSEC +short
# Returns: admin.example.com A AAAA RRSIG NSEC

dig admin.example.com NSEC +short
# Returns: api.example.com A RRSIG NSEC

dig api.example.com NSEC +short
# Returns: blog.example.com CNAME RRSIG NSEC

Tools like ldns-walk and nsec3walker automate this process and can enumerate an entire zone in seconds.

The NSEC records also reveal which record types exist for each name (shown after the next name in the NSEC record data). This tells the attacker not just that admin.example.com exists, but that it has A and AAAA records — meaning it is a host with IPv4 and IPv6 addresses.

Why You Cannot Speed This Up With Parallel Queries

If you are writing a zone walking script and thinking about firing off concurrent requests to speed things up — save yourself the trouble. I went down this road and it is a dead end. Zone walking is inherently sequential: each NSEC response reveals the next name in the chain, and you cannot send query N+1 until you have the answer from query N. There is no way to split the walk across threads, guess ahead, or divide the zone into parallel ranges. For most domain zones with hundreds or a few thousand subdomains this is not a real bottleneck anyway — the walk completes in seconds. If you are walking a TLD zone with millions of entries, the sequential constraint is more painful, but the answer is still the same: the walk itself cannot be parallelized.

Real-World Impact

Zone walking has been used to:

Map corporate infrastructure by discovering internal-sounding subdomains like vpn, staging, jenkins, gitlab, and internal
Identify attack targets — subdomains running specific services are often more vulnerable than the main domain
Prepare for subdomain takeover by identifying CNAMEs to third-party services
Competitive intelligence — discovering product names, internal projects, and infrastructure details from subdomain names

Several large organizations discovered this the hard way after enabling DNSSEC with NSEC and finding their complete subdomain inventory indexed by security researchers and attackers alike.

How Attackers Discover This Weakness

An attacker simply needs to check whether a domain uses NSEC or NSEC3:

dig example.com NSEC +dnssec

If the response includes NSEC records (rather than NSEC3), the zone is walkable. This is a five-second check that reveals a significant information exposure.

NSEC3: A Deterrent, Not a Complete Fix

NSEC3 (defined in RFC 5155) was created to make zone walking harder. Instead of chaining cleartext domain names, NSEC3 chains hashed versions of the names.

# Instead of:  alpha → beta → gamma
# NSEC3 shows: 1abc3f → 4de7a2 → 9bc1d5

The hashes are computed using a salt and multiple iterations, making it computationally expensive to reverse them back to the original names.

NSEC3 makes zone walking significantly harder but not impossible. The hashes can be cracked with enough computational effort and a good dictionary. This is an important distinction — NSEC3 is a deterrent that raises the cost of enumeration, not a guarantee of privacy. Here is why:

Offline dictionary attacks work because the NSEC3 hash algorithm, salt, and iteration count are all public (they are in the NSEC3PARAM record). An attacker downloads the hashed chain, then hashes a dictionary of common names (www, mail, api, staging, vpn, admin) against the known parameters. Any match reveals a real subdomain.
GPU-accelerated cracking has made this even more practical. Tools like nsec3map and hashcat can test millions of candidate names per second against NSEC3 hashes.
Rainbow table attacks are possible if the salt is short or the iteration count is low.
The opt-out flag in NSEC3 means unsigned delegations may not have corresponding NSEC3 records, potentially leaking information about the zone structure.

The bottom line: if your subdomains use predictable names, NSEC3 will not protect them from a motivated attacker. It stops casual automated walking, but it does not stop targeted enumeration.

How to Test Your Own Domain

Check whether your domain uses NSEC or NSEC3:

# Query for a name that does not exist
dig nonexistent.example.com A +dnssec

# Look for NSEC or NSEC3 records in the authority section

If you see NSEC records with cleartext names, your zone is walkable. If you see NSEC3 records with hashed values, you are using the safer variant.

Attempt a zone walk on your own domain:

# If you have ldns-utils installed
ldns-walk example.com

If this returns a list of your subdomains, you need to switch to NSEC3.

You can also use the DNS Inspector to examine your domain's DNSSEC configuration and record types.

How to Defend Against It

Switch from NSEC to NSEC3

This is the primary mitigation. Most DNSSEC-capable DNS software supports NSEC3:

# BIND example: generate NSEC3 parameters
rndc signing -nsec3param 1 0 10 auto example.com

Use Strong NSEC3 Parameters

Use a random salt (at least 8 characters)
Use a sufficient iteration count (the balance is between security and performance; 10-20 iterations is common)
Rotate the salt periodically

Consider Whether You Need DNSSEC

For internal zones or zones where subdomain privacy is critical, weigh the benefits of DNSSEC against the information disclosure risk. If zone walking is a greater concern than cache poisoning for your specific use case, you may decide DNSSEC is not appropriate for that zone.

Mitigation Checklist

Zones use NSEC3 instead of NSEC
NSEC3 salt is random and sufficiently long
NSEC3 iteration count is appropriate for your zone size
NSEC3 salt is rotated periodically
Subdomain naming conventions avoid revealing sensitive information
Zone walking tests are included in security audits

Common Misconfigurations

Enabling DNSSEC with default NSEC without switching to NSEC3
Using an empty or trivially short NSEC3 salt, making dictionary attacks easier
Setting iteration count to zero, removing the computational cost of cracking hashes
Never testing your own zone for walkability after enabling DNSSEC

Ethical Note

Zone walking against domains you do not own exists in a legal gray area. The records are technically public (DNSSEC is designed to be verifiable by anyone), but using the information for unauthorized purposes is not. Only perform zone walking against your own domains or with explicit authorization. For practice, sign a test zone in a lab environment and walk it yourself.

This article is part of the Complete Guide to DNS Attacks and DNS Security. See also: DNS Zone Walking at the TLD Level, DNS Zone Transfer Attack.

Frequently Asked Questions

This article was researched and structured by the author with AI assistance for drafting and technical verification.

How NSEC Records Work

The solution was NSEC records. An NSEC record for a name points to the next existing name in the zone, sorted alphabetically. This creates a chain:

alpha.example.com → NSEC → beta.example.com
beta.example.com  → NSEC → gamma.example.com
gamma.example.com → NSEC → alpha.example.com (wraps around)

The problem is obvious: each NSEC record reveals the next name in the zone. Follow the chain from the beginning, and you discover every name.

How Zone Walking Works

The attack is straightforward:

Query for the zone apex: dig example.com NSEC
The response includes the next name in the zone, say admin.example.com
Query for admin.example.com NSEC
The response includes the next name: api.example.com
Continue until the chain wraps back to the beginning

# Start the walk
dig example.com NSEC +short
# Returns: admin.example.com A AAAA RRSIG NSEC

dig admin.example.com NSEC +short
# Returns: api.example.com A RRSIG NSEC

dig api.example.com NSEC +short
# Returns: blog.example.com CNAME RRSIG NSEC

Tools like ldns-walk and nsec3walker automate this process and can enumerate an entire zone in seconds.

Why You Cannot Speed This Up With Parallel Queries

Real-World Impact

Zone walking has been used to:

Map corporate infrastructure by discovering internal-sounding subdomains like vpn, staging, jenkins, gitlab, and internal
Identify attack targets — subdomains running specific services are often more vulnerable than the main domain
Prepare for subdomain takeover by identifying CNAMEs to third-party services
Competitive intelligence — discovering product names, internal projects, and infrastructure details from subdomain names

Several large organizations discovered this the hard way after enabling DNSSEC with NSEC and finding their complete subdomain inventory indexed by security researchers and attackers alike.

How Attackers Discover This Weakness

An attacker simply needs to check whether a domain uses NSEC or NSEC3:

dig example.com NSEC +dnssec

If the response includes NSEC records (rather than NSEC3), the zone is walkable. This is a five-second check that reveals a significant information exposure.

NSEC3: A Deterrent, Not a Complete Fix

NSEC3 (defined in RFC 5155) was created to make zone walking harder. Instead of chaining cleartext domain names, NSEC3 chains hashed versions of the names.

# Instead of:  alpha → beta → gamma
# NSEC3 shows: 1abc3f → 4de7a2 → 9bc1d5

The hashes are computed using a salt and multiple iterations, making it computationally expensive to reverse them back to the original names.

Offline dictionary attacks work because the NSEC3 hash algorithm, salt, and iteration count are all public (they are in the NSEC3PARAM record). An attacker downloads the hashed chain, then hashes a dictionary of common names (www, mail, api, staging, vpn, admin) against the known parameters. Any match reveals a real subdomain.
GPU-accelerated cracking has made this even more practical. Tools like nsec3map and hashcat can test millions of candidate names per second against NSEC3 hashes.
Rainbow table attacks are possible if the salt is short or the iteration count is low.
The opt-out flag in NSEC3 means unsigned delegations may not have corresponding NSEC3 records, potentially leaking information about the zone structure.

The bottom line: if your subdomains use predictable names, NSEC3 will not protect them from a motivated attacker. It stops casual automated walking, but it does not stop targeted enumeration.

How to Test Your Own Domain

Check whether your domain uses NSEC or NSEC3:

# Query for a name that does not exist
dig nonexistent.example.com A +dnssec

# Look for NSEC or NSEC3 records in the authority section

If you see NSEC records with cleartext names, your zone is walkable. If you see NSEC3 records with hashed values, you are using the safer variant.

Attempt a zone walk on your own domain:

# If you have ldns-utils installed
ldns-walk example.com

If this returns a list of your subdomains, you need to switch to NSEC3.

You can also use the DNS Inspector to examine your domain's DNSSEC configuration and record types.

How to Defend Against It

Switch from NSEC to NSEC3

This is the primary mitigation. Most DNSSEC-capable DNS software supports NSEC3:

# BIND example: generate NSEC3 parameters
rndc signing -nsec3param 1 0 10 auto example.com

Use Strong NSEC3 Parameters

Use a random salt (at least 8 characters)
Use a sufficient iteration count (the balance is between security and performance; 10-20 iterations is common)
Rotate the salt periodically

Consider Whether You Need DNSSEC

Mitigation Checklist

Zones use NSEC3 instead of NSEC
NSEC3 salt is random and sufficiently long
NSEC3 iteration count is appropriate for your zone size
NSEC3 salt is rotated periodically
Subdomain naming conventions avoid revealing sensitive information
Zone walking tests are included in security audits

Common Misconfigurations

Enabling DNSSEC with default NSEC without switching to NSEC3
Using an empty or trivially short NSEC3 salt, making dictionary attacks easier
Setting iteration count to zero, removing the computational cost of cracking hashes
Never testing your own zone for walkability after enabling DNSSEC

Ethical Note

This article is part of the Complete Guide to DNS Attacks and DNS Security. See also: DNS Zone Walking at the TLD Level, DNS Zone Transfer Attack.

DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains

How NSEC Records Work

How Zone Walking Works

Why You Cannot Speed This Up With Parallel Queries

Real-World Impact

How Attackers Discover This Weakness

NSEC3: A Deterrent, Not a Complete Fix

How to Test Your Own Domain

How to Defend Against It

Switch from NSEC to NSEC3

Use Strong NSEC3 Parameters

Consider Whether You Need DNSSEC

Mitigation Checklist

Common Misconfigurations

Ethical Note

Frequently Asked Questions

What is the difference between zone walking and zone transfer?

Does NSEC3 completely prevent zone enumeration?

Should I disable DNSSEC to prevent zone walking?

How can I tell if my zone uses NSEC or NSEC3?

What is the difference between zone walking subdomains and zone walking a TLD?

Categories:

About the Author

Share this article

Related Articles

DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains

How NSEC Records Work

How Zone Walking Works

Why You Cannot Speed This Up With Parallel Queries

Real-World Impact

How Attackers Discover This Weakness

NSEC3: A Deterrent, Not a Complete Fix

How to Test Your Own Domain

How to Defend Against It

Switch from NSEC to NSEC3

Use Strong NSEC3 Parameters

Consider Whether You Need DNSSEC

Mitigation Checklist

Common Misconfigurations

Ethical Note

Frequently Asked Questions

What is the difference between zone walking and zone transfer?

Does NSEC3 completely prevent zone enumeration?

Should I disable DNSSEC to prevent zone walking?

How can I tell if my zone uses NSEC or NSEC3?

What is the difference between zone walking subdomains and zone walking a TLD?

Categories:

About the Author

Share this article

Related Articles