DNS
Pentesting DNS
Navigation
DNS Reconnaissance
DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration is an important step as is it used to identify the structure and components of a target’s network by revealing domain names, IP addresses, and various services. There are several tools available to enumerate DNS information for a target. A list of very useful online-based DNS tools is available here: DNS Tools & Links
An excellent built-in Linux tool to use is dig. Gathering information such as IP addresses for domain names can be used in activities such as port scanning and vulnerability scanning in later phases of the penetration test.
dig A hacker.com #Retrieves the A (Address) records for a given domain dig TXT hacker.com #Retreives the TXT (Text) records for a given domain dig MX hacker.com #Retrieves the MX (Mail Exchange) records for a given domain dig NS hacker.com #Retrieves the NS (Name Server) records for a given domain dig AAAA hacker.com #Retrieves the AAAA (quad-A) records for a given domain (IPv6) dig any hacker.com #Returns all available DNS entries for the target domain dig any hacker.com @8.8.8.8 #Specify a name server as certain name servers might respond with different information
Another built-in Linux and Windows tool to enumerate DNS for a target is Nslookup.
nslookup hacker.com #Query the DNS server for the IP address associated with the domain name nslookup 192.0.2.1 #Perform a reverse DNS lookup to find the domain name associated with the IP address nslookup -type=mx hacker.com #Query specific DNS record types (Use NS, TXT, A, AAAA) nslookup hacker.com 8.8.8.8 #Query a domain with a specific DNS server nslookup -debug hacker.com #Query with debug information
The above DNS enumeration, and more, can be automated with several tools. DNSRecon is a popular command-line tool used for performing DNS reconnaissance, enumeration, and information gathering and can be found here: https://github.com/darkoperator/dnsrecon
dnsrecon hacker.com #Perform general DNS enumeration against the target domain name dnsrecon -r 2.18.48.0/24 #DNS reverse lookup of all of the addresses in the range dnsrecon -d hacker.com -t axfr #Attempts a zone transfer on the domain dnsrecon -d hacker.com -t ns #Lists the authoritative DNS servers for the domain dnsrecon -d hacker -t ptr #Enumerate DNS records of a specific type
The DNSEnum tool is also another popular DNS enumeration tool. It is built into Kali Linux but can be downloaded here: https://github.com/SparrowOchon/dnsenum2
dnsenum hacker.com #Performs a basic enumeration of the target domain, querying for common DNS records like A, AAAA, MX, NS, and SOA dnsenum --enum -f <DNS_SERVER> hacker.com #Attempts a zone transfer on the target domain dnsenum --reverse 192.0.2.1/24 #Performs reverse DNS lookups on the IP range dnsenum --dnsserver hacker.com #Finding DNS servers for a target domain dnsenum --dnstypes PTR hacker.com #Enumerating DNS records of a specific type (Use A, AAAA, TXT, NS etc)
DNS Security Checks
Configuration Review
In this phase of DNS pentesting, we check for common misconfigurations such as open resolvers, outdated software, and weak security settings for the target domain.
Open Recursion
Open recursion on a DNS server refers to the practice of allowing recursive queries from any client, regardless of whether they are authorized or not. While open recursion might seem convenient for users, it poses several risks and vulnerabilities such as Amplification Attacks, DNS Cache Poisoning, Facilitates DDoS Attacks and Resource Exhaustion.
We can use dig to test for open recursion. If the DNS server responds with a complete answer to the query without referring you to another DNS server, it suggests that open recursion might be enabled.
dig hacker.com @target-dns-server +norecurse #Test for open recursion.
Zone Transfers
Zone transfers (AXFR requests) on a DNS server pose significant security risks. Zone transfers provide a complete copy of a DNS zone, including all domain names, IP addresses, and other resource records. Attackers can perform reconnaissance by requesting zone transfers to gather information about the target organization’s network assets, such as subdomains, hosts, and services.
We can use several tools as demonstrated below.
dig AXFR @dns-server hacker.com #Attempt DNS zone transfer using dig dnsrecon -d hacker.com -t axfr #Attempt DNS zone transfer using dnsrecon fierce -dns hacker.com #Attempt DNS zone transfer using fierce dnsenum hacker.com #Attempt DNS zone transfer using dnsenum while read domain; do dig AXFR @8.8.8.8 "$domain"; done < domains.txt #Bash script one-liner to test a file of domains