DNS

About

Domain Name System (DNS) is an integral part of the Internet. For example, through domain names, such as venator17.gitbook.io or www.google.com, we can reach the web servers that the hosting provider has assigned one or more specific IP addresses. DNS is a system for resolving computer names into IP addresses, and it does not have a central database. The configuration files are usually : named.conf.local, named.conf.options, named.conf.log. DNS commonly is used by UDP port 53, or TCP if UDP isn't accessible.

Server Types

DNS Root Server

Root servers of the DNS are responsible for the top-level domains (TLD). As the last instance, they are only requested if the name server does not respond. Thus, a root server is a central interface between users and content on the Internet, as it links domain and IP address. The Internet Corporation for Assigned Names and Numbers (ICANN) coordinates the work of the root name servers. There are 13 such root servers around the globe.

Authoritative Nameserver

Authoritative nameservers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point.

Non-Authoritative Nameserver

Non-authoritative nameservers are not responsible for a particular DNS zone. Instead, they collect information on specific DNS zones themselves, which is done using recursive or iterative DNS querying.

Caching DNS Server

Caching DNS servers cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage.

Forwarding Server

Forwarding servers perform only one function: they forward DNS queries to another DNS server.

Resolver

Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router.

DNS Records Types

There are many useful and not DNS records:

A: Returns an IPv4 address of the requested domain as a result.
AAAA: Returns an IPv6 address of the requested domain.
MX: Returns the responsible mail servers as a result.
NS: Returns the DNS servers (nameservers) of the domain.
TXT: this type of record often contains verification keys for different third-party providers and other security aspects of DNS
CNAME: This record serves as an alias.
PTR: The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA: Provides information about the corresponding DNS zone and email address of the administrative contact.

Zone Files

DNS zone is a section of the DNS namespace managed by an organization or administrator. DNS servers use zone transfers to share parts of their database with other servers. If not properly configured to limit which IPs can perform transfers, anyone can request zone data, as zone transfers usually lack authentication. To resolve an IP address from an Fully Qualified Domain Name (FQDN), the DNS server relies on a reverse lookup file, which uses PTR records to link the hostname of computer (FQDN) to the last octet of the corresponding IP address.

Zone Transfer

Zone transfer refers to the transfer of zones to another server in DNS, which generally happens over TCP port 53. This procedure is abbreviated Asynchronous Full Transfer Zone (AXFR). Since a DNS failure usually has severe consequences for a company, the zone file is almost invariably kept identical on several name servers. When changes are made, it must be ensured that all servers have the same data. Synchronization between the servers involved is realized by zone transfer. Direct source for synchronizing a zone file is called a master. A DNS server that obtains zone data from a master is called a slave.

DNS Spoofing

DNS Spoofing or also DNS Cache Poisoning is attack, which involves poisoning target's DNS Records and using it for our purpose like MiTM, Overtaking control of the server, redirecting to false website for phishing.

Ettercap

We could use Ettercap [LINK] tool for DNS Spoofing.

First we need to edit /etc/ettercap/etter.dns and add there are target domain name and our (attacker) IP address to which we want our prey be redirected to:

amogus.com      A   13.13.13.13
*.amogus.com    A   13.13.13.13

Then we are turning on Ettercap and scanning for hosts by Hosts > Scan for Hosts. Then adding target IP to Target1 and default getaway to Target2. Then we should activate dns_spoof module in Plugins > Manage Plugins. If everything done right, target from Target1 machine should be redirected to 13.13.13.13 host.

Bettercap

We could use Bettercap [LINK] for same purpose.

set dns.spoof.domains website.com; set dns.spoof.address 13.13.13.13; dns.spoof on

This command is three commands in one with semicolon as delimiter:

Setting up target domain:
Setting up attacker IP address
Turning on spoofing

For multiple mappings you could make a file:

13.13.13.4 youtube.com
13.13.13.5 synacktiv.com
13.13.13.6 google.com

DIG

DIG (Domain Information Groper) command is a powerful and flexible DNS lookup tool used for querying DNS servers.

NS Query

dig ns website.com @13.13.13.13

Version Query

dig CH TXT version.bind 13.13.13.13

ANY Query

dig any website.com @13.13.13.13

AXFR Zone Transfer.

"@" symbol means domain TO which we are sending request. IP Without "@" means that's the domain we're asking ABOUT.

dig axfr website.com @13.13.13.13

AXFR Zone Transfer - Internal

dig axfr internal.website.com @13.13.13.13

Tips2Hack

Local CNAME Enum

host subdomain.amogus.com

DNSEnum

dnsenum --dnsserver 13.13.13.13 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.kek

Fierce [LINK]

fierce --domain zonetransfer.me

Subfinder [LINK]

./subfinder -d amogus.com -v

Subbrute [LINK]

./subbrute amogus.com -s ./names.txt -r ./resolvers.txt

PreviousFuzzing NextTheory

Last updated 3 months ago