# DNS ## ABOUT **Domain Name System (DNS)** is an integral **part of the Internet****.** For example, through domain names, such as **venator17.gitbook.io** or **[www.google.com](http://www.google.com)**, we can reach the web servers that the hosting provider has assigned one or more specific IP addresses. **DNS** is a system for resolving computer names into IP addresses, and it does not have a central database. The configuration files are usually : `named.conf.local`, `named.conf.options`, `named.conf.log`. DNS commonly is used by **UDP port 53**, or TCP if UDP isn't accessible. ## Server Types

Image from here [LINK]

#### DNS Root Server **Root servers** of the DNS are responsible for the **top-level domains (TLD)**. As the last instance, they are only requested if the name server does not respond. Thus, a root server is a central interface between users and content on the Internet, as it links domain and IP address. **The Internet Corporation for Assigned Names and Numbers (ICANN)** coordinates the work of the root name servers. There are **13** such root servers around the globe. #### Authoritative Nameserver **Authoritative nameservers** hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point. #### Non-Authoritative Nameserver **Non-authoritative nameservers** are not responsible for a particular **DNS** zone. Instead, they collect information on specific **DNS** zones themselves, which is done using recursive or iterative **DNS** querying. #### Caching DNS Server **Caching DNS servers** cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage. #### Forwarding Server **Forwarding servers** perform only one function: they forward DNS queries to another DNS server. #### Resolver **Resolvers** are not authoritative **DNS** servers but perform name resolution locally in the computer or router. *** ## DNS Records Types #### There are many useful and not DNS records: * **`A`**: Returns an **IPv4** address of the requested domain as a result. * **`AAAA`**: Returns an **IPv6** address of the requested domain. * **`MX`**: Returns the responsible mail servers as a result. * **`NS`**: Returns the **DNS** servers (nameservers) of the domain. * **`TXT`**: this type of record often contains verification keys for different third-party providers and other security aspects of **DNS** * **`CNAME`**: This record serves as an alias. * **`PTR`**: The **PTR** record works the other way around (reverse lookup). It converts IP addresses into valid domain names. * **`SOA`**: Provides information about the corresponding **DNS** zone and email address of the administrative contact. ## Zone Files **DNS zone** is a **section** of the **DNS** namespace managed by an **organization** or **administrator**. **DNS** servers use zone transfers to share parts of their database with other servers. If not properly configured to limit which IPs can perform transfers, anyone can request zone data, as zone transfers usually lack authentication. To resolve an IP address from an **Fully Qualified Domain Name (FQDN)**, the **DNS** server relies on a reverse lookup file, which uses **PTR records** to link the hostname of computer **(FQDN)** to the last octet of the corresponding IP address. ## Zone Transfer **Zone transfer** refers to the transfer of zones to another server in DNS, which generally happens over TCP port **53**. This procedure is abbreviated **Asynchronous Full Transfer Zone (AXFR).** Since a **DNS** failure usually has severe consequences for a company, the zone file is almost invariably kept identical on several name servers. When changes are made, it must be ensured that **all servers have the same data**. Synchronization between the servers involved is realized by **zone transfer**. Direct source for synchronizing a zone file is called a **master**. A **DNS** server that obtains zone data from a master is called a **slave**. ## DNS Spoofing **DNS Spoofing** or also **DNS Cache Poisoning** is attack, which involves poisoning target's DNS Records and using it for our purpose like MiTM, Overtaking control of the server, redirecting to false website for phishing. ### Ettercap We could use **Ettercap** [**\[LINK\]**](https://www.ettercap-project.org/) tool for DNS Spoofing. First we need to edit `/etc/ettercap/etter.dns` and add there are target domain name and our **(attacker)** IP address to which we want our **prey** be redirected to: ``` amogus.com A 13.13.13.13 *.amogus.com A 13.13.13.13 ``` Then we are turning on **Ettercap** and scanning for hosts by **`Hosts > Scan for Hosts`**. Then adding target IP to **Target1** and **default getaway** to **Target2**. Then we should activate **dns\_spoof** module in **`Plugins > Manage Plugins`**. If everything done right, target from **Target1** machine should be redirected to **13.13.13.13** host. ### Bettercap We could use **Bettercap** [**\[LINK\]**](https://www.bettercap.org/) **for same purpose.** ```bash set dns.spoof.domains website.com; set dns.spoof.address 13.13.13.13; dns.spoof on ``` This command is three commands in one with **semicolon** as delimiter: 1. Setting up target domain: 2. Setting up attacker IP address 3. Turning on spoofing For multiple mappings you could make a **file**: ```bash 13.13.13.4 youtube.com 13.13.13.5 synacktiv.com 13.13.13.6 google.com ``` ## DIG **DIG (Domain Information Groper)** command is a powerful and flexible **DNS** lookup tool used for querying **DNS** servers. #### **NS Query** ```bash dig ns website.com @13.13.13.13 ``` #### **Version Query** ```bash dig CH TXT version.bind 13.13.13.13 ``` #### **ANY Query** ```bash dig any website.com @13.13.13.13 ``` #### **AXFR Zone Transfer.** **"@"** symbol means domain **TO** which we are sending request. IP Without **"@"** means that's the domain we're asking **ABOUT**. ```bash dig axfr website.com @13.13.13.13 ``` #### **AXFR Zone Transfer - Internal** ```bash dig axfr internal.website.com @13.13.13.13 ``` ## Tips2Hack 1. **Local** **CNAME Enum** ``` host subdomain.amogus.com ``` 2. **DNSEnum** ```bash dnsenum --dnsserver 13.13.13.13 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.kek ``` 3. **Fierce** [**\[LINK\]**](https://github.com/mschwager/fierce) ```bash fierce --domain zonetransfer.me ``` 4. **Subfinder** [**\[LINK\]**](https://github.com/projectdiscovery/subfinder) ```bash ./subfinder -d amogus.com -v ``` 5. **Subbrute** [**\[LINK\]**](https://github.com/TheRook/subbrute) ```bash ./subbrute amogus.com -s ./names.txt -r ./resolvers.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://venator17.gitbook.io/bibliotheque/web/dns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.