DNS (Domain Name Systems) Pentesting
Last modified: 2023-10-22
DNS is often called as a phonebook for internet. A default port is 53.
Enumeration
You can use Nmap to enumerate automatically.
nmap --script dns-nsec-enum --script-args dns-nsec-enum.domains vulnerable.com -p 53 <target-ip>
nmap --script dns-random-srcport -p 53 <target-ip>
nmap --script dns-recursion -p 53 <target-ip>
nmap --script dns-service-discovery -p 53 <target-ip>
nmap --script dns-* -p 53 <target-ip>
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <target-ip>
Investigation
DNSdumpster is an online tool for reconnaissance DNS records.
IP Address from the Domain
host example.com
DNS Records
# ANY record
dig any example.com @<target-ip>
dig example.com any +nocmd +noall +answer
# NS (nameserver) record
dig ns example.com
# TXT record
dig txt example.com
# Specify a public DNS server
# Cloudflare
dig example.com @1.1.1.1
# Google
dig example.com @8.8.8.8
# Quad9
dig example.com @9.9.9.9
Zone Transfer
The zone transfer is the process of copying the zone file on a primary DNS server to a secondary DNS server.
# axfr: Check if the Full Zone Transfer (AXFR) is available
dig axfr @<nameserver>
dig axfr example.com @<nameserver>
dig axfr example.com @example.com
dig axfr <zone-name> @<nameserver>
BIND
BIND is the most commonly used DNS server.
# BIND version
dig @<nameserver> chaos txt version.bind
Configuration Files
# Linux
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones
Update DNS Zone
If we found the secret key such like below, we can update DNS zone.
# /etc/bind/named.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "zBatC828gunRa...bA=";
};
To update, run the following command using the key.
# -d: Debug mode
# -y: Set the literal TSIG (Transaction Signature) authentication key.
nsupdate -d -y hmac-sha256:rndc-key:zBatC828gunRa...bA=
Creating key...
namefromtext
keycreate
# Enter target domain
> server example.com
# Enter the new record
# 86400: The TTL (Time-To-Live) for the DNS record. Set 86400 seconds (24 hours) here.
# IN: Internet
# A: A record
# 10.0.0.1: Set your local ip address
> update add sub.example.com 86400 IN A 10.0.0.1
> send
Reply from SOA query:
...
Reverse Lookup
Resolves a domain name from given IP address.
dig -x <ip>
dig -x 8.8.8.8
Resolve Domains and IP Addresses in /etc/hosts
Edit /etc/hosts file as root to add custom domains.
127.0.0.1 localhost
# Add the custom domain
10.0.0.2 vulnerable.com sub.vulnerable.com
10.0.0.3 vulnerable2.com
If you want to force the system to reflect the changes, restart hostnamed.
sudo systemctl restart systemd-hostnamed
Set DNS Resolver in /etc/resolv.conf
Edit /etc/resolv.conf file as root to add custom nameservers.
Google Nameservers
nameserver 8.8.8.8
nameserver 8.8.4.4
# IPv6
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
Cloudflare Nameservers
nameserver 1.1.1.1
If you want to force the system to reflect the changes, restart resolved.
sudo systemctl restart systemd-resolved.service
DNS Spoofing
Also known as DNS cache poisoning. It corrupts Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.
Flush the DNS Cache
Clear IP addresses or DNS records from caches.
sudo resolvectl flush-caches
# or
sudo systemd-resolve --flush-cache
Check DNS caches are actually flushed
sudo resolvectl statistics
# or
sudo systemd-resolve --statistics
DNS Exfiltration
DNS Infiltration
Coming soon...