DNS (Domain Name Systems) Pentesting
Last modified: 2024-08-11
DNS is often called as a phonebook for internet. A default port is 53.
Enumeration
# Nmap
nmap --script dns-nsec-enum --script-args dns-nsec-enum.domains vulnerable.com -p 53 <target-ip>
nmap --script dns-random-srcport -p 53 <target-ip>
nmap --script dns-recursion -p 53 <target-ip>
nmap --script dns-service-discovery -p 53 <target-ip>
nmap --script dns-* -p 53 <target-ip>
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <target-ip>
# Get IP address from the domain
host example.com
# Reverse Lookup (Resolves domain name from IP address)
dig -x <ip>
dig -x 8.8.8.8
Online Tools
Subdomain Discovery
Reference: Hackviser
dnsenum --dnsserver <target-ip> -f wordlist.txt example.com
# Do not scrape from Google search
# -p: The number of google search pages
# -s: The maximum number of subdomains that will be scraped from Google
dnsenum --dnsserver <target-ip> --enum -p 0 -s 0 -f wordlist.txt example.com
DNS Records
# ANY (all) record
did example.com ANY
dig example.com @<dns-ip> ANY
dig example.com +nocmd +noall +answer ANY
# NS (nameserver) record
dig example.com NS
# TXT record
dig example.com TXT
# Specify a public DNS server
# Cloudflare
dig example.com @1.1.1.1
# Google
dig example.com @8.8.8.8
# Quad9
dig example.com @9.9.9.9
Zone Transfer
The zone transfer is the process of copying the zone file on a primary DNS server to a secondary DNS server.
# axfr: Check if the Full Zone Transfer (AXFR) is available
dig @<nameserver> AXFR
dig example.com @<nameserver> AXFR
dig example.com @example.com AXFR
dig <zone-name> @<nameserver> AXFR
BIND
BIND is the most commonly used DNS server.
# BIND version
dig @<nameserver-address> chaos txt version.bind
Configuration Files
# In Linux
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones
Update DNS Zone
If we found the secret key such like below, we can update DNS zone.
# /etc/bind/named.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "zBatC828gunRa...bA=";
};
To update, run the following command using the key.
# -d: Debug mode
# -y: Set the literal TSIG (Transaction Signature) authentication key.
nsupdate -d -y hmac-sha256:rndc-key:zBatC828gunRa...bA=
Creating key...
namefromtext
keycreate
# Enter target domain
> server example.com
# Enter the new record
# 86400: The TTL (Time-To-Live) for the DNS record. Set 86400 seconds (24 hours) here.
# IN: Internet
# A: A record
# 10.0.0.1: Set your local ip address
> update add sub.example.com 86400 IN A 10.0.0.1
> send
Reply from SOA query:
...
Resolve Domains and IP Addresses in /etc/hosts
Edit /etc/hosts file as root to add custom domains.
127.0.0.1 localhost
# Add the custom domain
10.0.0.2 vulnerable.com sub.vulnerable.com
10.0.0.3 vulnerable2.com
If you want to force the system to reflect the changes, restart hostnamed.
sudo systemctl restart systemd-hostnamed
Set DNS Resolver in /etc/resolv.conf
Edit /etc/resolv.conf file as root to add custom nameservers.
Google Nameservers
nameserver 8.8.8.8
nameserver 8.8.4.4
# IPv6
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
Cloudflare Nameservers
nameserver 1.1.1.1
If you want to force the system to reflect the changes, restart resolved.
sudo systemctl restart systemd-resolved.service
DNS Spoofing
Also known as DNS cache poisoning. It corrupts Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.
Flush the DNS Cache
Clear IP addresses or DNS records from caches.
sudo resolvectl flush-caches
# or
sudo systemd-resolve --flush-cache
Check DNS caches are actually flushed
sudo resolvectl statistics
# or
sudo systemd-resolve --statistics
DNS Exfiltration
DNS Infiltration
Coming soon...