Pentesting DNS

DNS Icon
The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the internet or a private network. It translates human-readable domain names, like www.example.com, into IP addresses, such as 192.0.2.1, which computers use to identify each other on the network.

DNS Reconnaissance

DNS Enumeration

DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration is an important step as is it used to identify the structure and components of a target’s network by revealing domain names, IP addresses, and various services. There are several tools available to enumerate DNS information for a target. A list of very useful online-based DNS tools is available here: DNS Tools & Links

An excellent built-in Linux tool to use is dig. Gathering information such as IP addresses for domain names can be used in activities such as port scanning and vulnerability scanning in later phases of the penetration test.

dig A hacker.com               #Retrieves the A (Address) records for a given domain
dig TXT hacker.com             #Retreives the TXT (Text) records for a given domain
dig MX hacker.com              #Retrieves the MX (Mail Exchange) records for a given domain
dig NS hacker.com              #Retrieves the NS (Name Server) records for a given domain
dig AAAA hacker.com            #Retrieves the AAAA (quad-A) records for a given domain (IPv6)
dig any hacker.com             #Returns all available DNS entries for the target domain
dig any hacker.com @8.8.8.8    #Specify a name server as certain name servers might respond with different information

 

Another built-in Linux and Windows tool to enumerate DNS for a target is Nslookup.

nslookup hacker.com             #Query the DNS server for the IP address associated with the domain name
nslookup 192.0.2.1              #Perform a reverse DNS lookup to find the domain name associated with the IP address
nslookup -type=mx hacker.com    #Query specific DNS record types (Use NS, TXT, A, AAAA)
nslookup hacker.com 8.8.8.8     #Query a domain with a specific DNS server
nslookup -debug hacker.com      #Query with debug information

 

The above DNS enumeration, and more, can be automated with several tools. DNSRecon is a popular command-line tool used for performing DNS reconnaissance, enumeration, and information gathering and can be found here: https://github.com/darkoperator/dnsrecon

dnsrecon hacker.com              #Perform general DNS enumeration against the target domain name
dnsrecon -r 2.18.48.0/24         #DNS reverse lookup of all of the addresses in the range
dnsrecon -d hacker.com -t axfr   #Attempts a zone transfer on the domain
dnsrecon -d hacker.com -t ns     #Lists the authoritative DNS servers for the domain
dnsrecon -d hacker -t ptr        #Enumerate DNS records of a specific type

 

The DNSEnum tool is also another popular DNS enumeration tool. It is built into Kali Linux but can be downloaded here: https://github.com/SparrowOchon/dnsenum2

dnsenum hacker.com                            #Performs a basic enumeration of the target domain, querying for common DNS records like A, AAAA, MX, NS, and SOA
dnsenum --enum -f <DNS_SERVER> hacker.com     #Attempts a zone transfer on the target domain
dnsenum --reverse 192.0.2.1/24                #Performs reverse DNS lookups on the IP range
dnsenum --dnsserver hacker.com                #Finding DNS servers for a target domain
dnsenum --dnstypes PTR hacker.com             #Enumerating DNS records of a specific type (Use A, AAAA, TXT, NS etc)

DNS Security Checks

Configuration Review

In this phase of DNS pentesting, we check for common misconfigurations such as open resolvers, outdated software, and weak security settings for the target domain.

Open Recursion

Open recursion on a DNS server refers to the practice of allowing recursive queries from any client, regardless of whether they are authorized or not. While open recursion might seem convenient for users, it poses several risks and vulnerabilities such as Amplification Attacks, DNS Cache Poisoning, Facilitates DDoS Attacks and Resource Exhaustion.

We can use dig to test for open recursion. If the DNS server responds with a complete answer to the query without referring you to another DNS server, it suggests that open recursion might be enabled.

dig hacker.com @target-dns-server +norecurse   #Test for open recursion.

 

Zone Transfers

Zone transfers (AXFR requests) on a DNS server pose significant security risks. Zone transfers provide a complete copy of a DNS zone, including all domain names, IP addresses, and other resource records. Attackers can perform reconnaissance by requesting zone transfers to gather information about the target organization’s network assets, such as subdomains, hosts, and services.

We can use several tools as demonstrated below.

dig AXFR @dns-server hacker.com    #Attempt DNS zone transfer using dig
dnsrecon -d hacker.com -t axfr     #Attempt DNS zone transfer using dnsrecon
fierce -dns hacker.com             #Attempt DNS zone transfer using fierce
dnsenum hacker.com                 #Attempt DNS zone transfer using dnsenum

while read domain; do dig AXFR @8.8.8.8 "$domain"; done < domains.txt    #Bash script one-liner to test a file of domains