UDP/TCP 53 - DNS

Domain Name System

Types of DNS Records:-

  • NS: Nameserver records

  • A: IPv4 address of a hostname

  • AAAA: IPv6 address of a Hostname

  • MX: Mail Exchange Records.

  • PTR: Pointer Records are used in reverse lookup zones.

  • CNAME: Canonical Name Records used to create Aliases

  • TXT: Text records can contain any arbitary data.

Dig

dig version.bind CHAOS TXT @DNS

dig any victim.com @<DNS_IP>

dig axfr @<DNS_IP> #Try zone transfer without domain
dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
fierce --domain <DOMAIN> --dns-servers <DNS_IP> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack

dig ANY @<DNS_IP> <DOMAIN>     #Any information
dig A @<DNS_IP> <DOMAIN>       #Regular DNS request
dig AAAA @<DNS_IP> <DOMAIN>    #IPv6 DNS request
dig TXT @<DNS_IP> <DOMAIN>     #Information
dig MX @<DNS_IP> <DOMAIN>      #Emails related
dig NS @<DNS_IP> <DOMAIN>      #DNS that resolves that name
dig -x 192.168.0.2 @<DNS_IP>   #Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup

#Use [-p PORT]  or  -6 (to use ivp6 address of dns)

Host

host www.example.com

host -t mx www.example.com

host -t txt www.example.com


#Resolving host name using bash one liner
for ip in $(cat list.txt);do host $ip.example.com;done


#Resolving host name with IP Address using bash one liner
for ip in $(seq 0 254);do host 192.168.10.$ip;done | grep -v "not found"

DNS Recon

dnsrecon -d example.com -t std
 
dnsrecon -d example.com -D ~/list.txt -t brt

dnsenum example.com
 
dnsrecon -r 127.0.0.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>   #DNS reverse of all of the addresses
dnsrecon -d active.htb -a -n <IP_DNS> #Zone transfer

NsLookUp

nslookup mail.example.com

nslookup -type=TXT info.example.com 192.168.10.141

nslookup
> SERVER <IP_DNS> #Select dns server
> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
> <IP_MACHINE> #Reverse lookup of a machine, maybe...

DNS-Subdomain BruteForce

dnsenum --dnsserver <IP_DNS> --enum -p 0 -s 0 -o subdomains.txt -f subdomains-1000.txt <DOMAIN>
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>

#Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan
dnscan -d <domain> -r -w subdomains-1000.txt

PreviousUDP 500 - IKENextEntry Process

Last updated