☠️ ζHUB

DNS recon

Created: Feb 24, 2025
Updated: Mar 13, 2025

DNSDumpster

DNSDumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

53-DNS

The Domain Name System (DNS) is essential for the Internet. It translates domain names, like example.com, into IP addresses used by web servers. DNS resolves computer names to IP addresses and does not have a central database.

Default Port: 53

Different DNS servers

Server TypeDescription
DNS Root ServerHandles top-level domains (TLDs) and links domain names to IP addresses. There are 13 root servers worldwide, managed by ICANN.
Authoritative NameserverManages a specific zone and provides definitive answers for its area. If it can’t answer, the root server steps in.
Non-authoritative NameserverGathers DNS information from other servers but isn’t responsible for a specific zone.
Caching DNS ServerStores information from other servers temporarily based on the authoritative server’s settings.
Forwarding ServerForwards DNS queries to another server.
ResolverResolves domain names locally on a computer or router, not an authoritative server.

DNS records

DNS RecordDescription
AProvides the IPv4 address for the domain.
AAAAProvides the IPv6 address for the domain.
MXLists the mail servers for the domain.
NSLists the DNS servers (nameservers) for the domain.
TXTContains various information, such as validation for Google Search Console, SSL certificates, and SPF/DMARC records for email security.
CNAMEActs as an alias for another domain. For example, www.example.com can point to the same IP as example.com.
PTRPerforms reverse lookups by converting IP addresses to domain names.
SOAProvides details about the DNS zone and the administrative contact’s email address.

WHOIS

WHOIS is a client for the whois directory service.

whois example.com

Each WHOIS record typically contains the following information:

FieldDescription
Domain NameThe registered domain. (e.g., example.com)
RegistrarThe company where the domain was registered. (e.g., GoDaddy, Namecheap)
Registrant ContactThe person or organization that owns the domain.
Administrative ContactThe person responsible for managing the domain.
Technical ContactThe person handling technical issues for the domain.
Creation DateWhen the domain was registered.
Expiration DateWhen the domain is set to expire.
Name ServersServers that translate the domain name into an IP address.

Dig

Dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried.

# DNS zone / email
dig soa example.com
 
# Nameserver
dig ns example.com
 
# DNS server version
dig CH TXT version.bind $IP
 
# All the records
dig any example.com @$IP
 
# Zone transfer
dig axfr example.com @$IP
 
# Bash oneliner subdomain bruteforce
for sub in $(cat /wordlists/subdomains.txt);do dig $sub.example.com @$IP | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

DNSrecon

Dnsrecon is a python script for DNS enumeration.

# Enumerate general DNS records for a given domain such as MX,SOA,NS,A, etc
dnsrecon -d example.com

DNSenum

Dnsenum is a perl script that enumerates DNS information.

# Subdomain bruteforce
dnsenum --dnsserver $IP --enum -p 0 -s 0 -o subdomains.txt -f /wordlists/subdomains.txt example.com

ZoneTransfer

Description

The zone transfer is how a secondary DNS server receives information from the primary DNS server and updates it. There’s web based tool that can performing the zone transfer automatically or doing it manually using nslookup.

# Identifying nameservers
nslookup -type=NS example.com
 
# Performing the zone transfer
nslookup -type=any -query=AXFR example.com ns.example.com

Config files

named.conf.local     # contains local DNS zone config and custom settings
named.conf.options   # includes global options and server-wide settings
named.conf.log       # logging options for BIND to manage and record DNS activity

Dangerous settings

DNS servers can be attacked in various ways. For example, a list of vulnerabilities targeting the BIND9 server can be found at CVEdetails, and SecurityTrails highlights common DNS server attacks.

Certain settings mentioned below can contribute to these vulnerabilities.

OptionDescription
allow-querySpecifies which hosts can send requests to the DNS server.
allow-recursionSpecifies which hosts can make recursive requests to the DNS server.
allow-transferSpecifies which hosts can receive zone transfers from the DNS server.
zone-statisticCollects statistics about DNS zones.
Link to original

Backlinks

  • No backlinks found