53 - Pentesting DNS
Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
Basic Information
The Domain Name System (DNS) serves as the internet's directory, allowing users to access websites through easy-to-remember domain names like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world.
Default port: 53
Different DNS Servers
DNS Root Servers: These are at the top of the DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (ICANN) oversees their operation, with a global count of 13.
Authoritative Nameservers: These servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers.
Non-authoritative Nameservers: Lacking ownership over DNS zones, these servers gather domain information through queries to other servers.
Caching DNS Server: This type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server.
Forwarding Server: Serving a straightforward role, forwarding servers simply relay queries to another server.
Resolver: Integrated within computers or routers, resolvers execute name resolution locally and are not considered authoritative.
Enumeration
Banner Grabbing
There aren't banners in DNS but you can gran the macgic query for version.bind. CHAOS TXT
which will work on most BIND nameservers.
You can perform this query using dig
:
Moreover, the tool fpdns
can also fingerprint the server.
It's also possible to grab the banner also with a nmap script:
Any record
The record ANY will ask the DNS server to return all the available entries that it is willing to disclose.
Zone Transfer
This procedure is abbreviated Asynchronous Full Transfer Zone
(AXFR
).
More info
Automation
Using nslookup
Useful metasploit modules
Useful nmap scripts
DNS - Reverse BF
If you are able to find subdomains resolving to internal IP-addresses, you should try to perform a reverse dns BF to the NSs of the domain asking for that IP range.
Another tool to do so: https://github.com/amine7536/reverse-scan
You can query reverse IP ranges to https://bgp.he.net/net/205.166.76.0/24#_dns (this tool is also helpful with BGP).
DNS - Subdomains BF
Active Directory servers
DNSSec
IPv6
Brute force using "AAAA" requests to gather IPv6 of the subdomains.
Bruteforce reverse DNS in using IPv6 addresses
DNS Recursion DDoS
If DNS recursion is enabled, an attacker could spoof the origin on the UDP packet in order to make the DNS send the response to the victim server. An attacker could abuse ANY or DNSSEC record types as they use to have the bigger responses. The way to check if a DNS supports recursion is to query a domain name and check if the flag "ra" (recursion available) is in the response:
Non available:
Available:
Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
Mail to nonexistent account
Through the examination of a nondelivery notification (NDN) triggered by an email sent to an invalid address within a target domain, valuable internal network details are often disclosed.
The provided nondelivery report includes information such as:
The generating server was identified as
server.example.com
.A failure notice for
user@example.com
with the error code#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found
was returned.Internal IP addresses and hostnames were disclosed in the original message headers.
Config files
Dangerous settings when configuring a Bind server:
Option | Description |
| Defines which hosts are allowed to send requests to the DNS server. |
| Defines which hosts are allowed to send recursive requests to the DNS server. |
| Defines which hosts are allowed to receive zone transfers from the DNS server. |
| Collects statistical data of zones. |
References
Book: Network Security Assessment 3rd edition
HackTricks Automatic Commands
Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
Last updated