DNS - 53
The Domain Name System (DNS) is a hierarchical and decentralized naming system used to resolve human-readable domain names (like example.com) into IP addresses that computers use to identify each other on the network. It functions similarly to a phonebook for the internet, allowing users to access websites using domain names instead of numeric IP addresses.
- Default port: 53
Enumeration
Whois Command
The whois command is a tool used to query databases that store registered users or assignees of domain names, IP addresses, and other internet resources. By using the whois command, you can retrieve important information about a domain or IP address, such as:
- Registrant Information: Details about the organization or individual who owns the domain, including their name, address, and contact information.
- Domain Registrar: The company through which the domain is registered.
- Domain Registration Dates: The creation date, expiration date, and last updated date of the domain.
- Name Servers: The servers responsible for handling the domain’s DNS requests.
- IP Address: The network address associated with the domain or IP range.
- Technical and Administrative Contacts: Contact information for those managing the technical aspects and administrative tasks related to the domain.
Example Command:
whois example.com
Example Output:
Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://res-dom.iana.org
Updated Date: 2024-08-14T07:01:34Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2025-08-13T04:00:00Z
Registrar: RESERVED-Internet Assigned Numbers Authority
Registrar IANA ID: 376
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET
DNSSEC: signedDelegation
DNSSEC DS Data: 370 13 2 BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A86764247C
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
[..SNIP..]
The dig Command
The dig (Domain Information Groper) command is a powerful tool for querying DNS (Domain Name System) records, which can help in mapping out domains, subdomains, and their associated records. It’s commonly used by bug hunters and penetration testers to gather valuable information about a target.
dig example.com # Basic lookup for A (IPv4) record of domain
dig example.com MX # Retrieve mail server (MX) records
dig example.com TXT # Get TXT records (SPF, DKIM, etc.)
dig -x 192.168.1.1 # Reverse DNS lookup (PTR record)
dig example.com ANY # Query all available DNS records
dig example.com NS # Get authoritative name servers
dig @8.8.8.8 example.com # Query a specific DNS server (Google DNS here)
Subdomain Bruteforce
# ---------- FFUF ----------
ffuf -u http://FUZZ.example.com -w subdomains.txt -H "Host: FUZZ.example.com" -fs <size>
# Bruteforce subdomains using ffuf with virtual host discovery
# -fs filters based on response size (set accordingly)
# ---------- DNSEnum ----------
dnsenum --dnsserver <IP> --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/wordlist/SecLists/Discovery/DNS/fierce-hostlist.txt example.com
# Bruteforce subdomains using a specified wordlist and DNS server
# -p 0 disables reverse lookup, -s 0 disables scrape, -o outputs to file
# ---------- AMASS ----------
amass enum -d example.com
# Passive + active subdomain enumeration
amass enum -brute -w subdomains.txt -d example.com
# Brute-force mode with wordlist
# ---------- SHUFFLEDNS ----------
shuffledns -d example.com -w subdomains.txt -r resolvers.txt
# Fast bruteforce using massdns-style resolution
# ---------- DNSCAN ----------
dnscan -d example.com -w subdomains.txt
# Multithreaded subdomain bruteforcer
# ---------- MASSDNS ----------
massdns -r resolvers.txt -t A -o S -w results.txt subdomains.txt
# Very fast DNS resolver for bruteforce-style attacks
Exploitation
Zone Transfers
A DNS Zone Transfer is a mechanism used to replicate DNS data between DNS servers. It allows one DNS server to copy the records from another, which can be useful for DNS management and backup purposes. However, zone transfers can sometimes be misconfigured or exposed, making them a potential target for attackers looking for information about a domain's internal network or structure.
What is Zone Transfer?
- A zone transfer (often referred to as
AXFRorIXFR) allows a DNS server to send a complete or incremental copy of its DNS records to another DNS server. - Zone transfers are typically performed between authoritative DNS servers, but if misconfigured, they can expose sensitive information like:
- Subdomains
- Mail servers
- Name servers
- IP addresses of internal systems
- A properly configured DNS server should only allow zone transfers from trusted sources.
Perform a Zone Transfer
# ---------- DIG ----------
dig @ns1.example.com example.com AXFR # Attempt zone transfer using dig
# ---------- HOST ----------
host -l example.com ns1.example.com # Attempt zone transfer using host
# ---------- NSLOOKUP ----------
nslookup # Enter interactive mode
> server ns1.example.com # Set name server
> set type=any # Set query type
> ls -d example.com # Attempt zone transfer (may be blocked)
# ---------- FIERCE ----------
fierce --dns example.com # Perform DNS enumeration using Fierce
# Link: https://github.com/mschwager/fierce
# ---------- DNSRECON ----------
dnsrecon -d example.com -t axfr # Attempt AXFR zone transfer with dnsrecon
# Link: https://salsa.debian.org/pkg-security-team/dnsrecon