DNS Pentesting Notes

Protocol Overview

Basic Information

  • Port: UDP/TCP 53

  • Protocol Type: Application layer

  • Purpose: Domain name resolution to IP addresses

  • Security: Minimal built-in security, often unencrypted

DNS Server Types

  1. Root Servers

    • Manages TLDs

    • 13 servers worldwide

    • Governed by ICANN

  2. Authoritative Servers

    • Hold authority over specific zones

    • Provide definitive answers

  3. Non-authoritative/Caching Servers

    • Store temporary DNS information

    • Forward queries to other servers

Initial Enumeration

Basic DNS Queries

# NS record query
dig ns domain.com @DNS_IP

# MX record query
dig mx domain.com @DNS_IP

# ANY query
dig any domain.com @DNS_IP

# Version query (if enabled)
dig CH TXT version.bind @DNS_IP

# Reverse lookup
dig -x IP_ADDRESS @DNS_IP
# Using nmap
nmap -sV -p53 DNS_IP

# Using netcat (UDP)
nc -u DNS_IP 53

# Using dig version query
dig chaos txt version.bind @DNS_IP

Record Types and Queries

Common Record Types

Record
Purpose

A

IPv4 address mapping

AAAA

IPv6 address mapping

MX

Mail server records

NS

Nameserver records

TXT

Miscellaneous information

CNAME

Domain aliases

PTR

Reverse DNS lookups

SOA

Zone authority info

Querying Records

# A records
dig a domain.com @DNS_IP

# AAAA records
dig aaaa domain.com @DNS_IP

# TXT records
dig txt domain.com @DNS_IP

# SOA record
dig soa domain.com @DNS_IP

Zone Transfers

Testing Zone Transfers

# Using dig
dig axfr domain.com @DNS_IP

# Using host
host -l domain.com DNS_IP

# Testing internal zones
dig axfr internal.domain.com @DNS_IP

Automated Zone Transfer Tools

# Using nmap
nmap --script dns-zone-transfer -p53 DNS_IP

# Using fierce
fierce --domain domain.com --dns-servers DNS_IP

# Using dnsrecon
dnsrecon -d domain.com -t axfr -n DNS_IP

Subdomain Enumeration

Using DNS Tools

# Using gobuster
gobuster dns -d domain.com -w wordlist.txt -r DNS_IP

# Using dnsenum
dnsenum --dnsserver DNS_IP --enum -f wordlist.txt domain.com

# Using Sublist3r
sublist3r -d domain.com -n

Bash One-liners

# Using dig with loop
for sub in $(cat wordlist.txt); do
    dig $sub.domain.com @DNS_IP | grep -v ';\|SOA' | sed -r '/^\s*$/d'
done

# Using host with loop
for sub in $(cat wordlist.txt); do
    host $sub.domain.com DNS_IP
done

Common NSE Scripts

# All DNS scripts
nmap --script "dns-*" -p53 DNS_IP

# Common individual scripts
nmap -p53 --script dns-zone-transfer DNS_IP
nmap -p53 --script dns-srv-enum DNS_IP
nmap -p53 --script dns-brute DNS_IP

Configuration Files

BIND Configuration

  • Main config: /etc/bind/named.conf

  • Local zones: /etc/bind/named.conf.local

  • Options: /etc/bind/named.conf.options

  • Zone files: /var/cache/bind/

  • Logs: /var/log/named/

Common Misconfigurations

  1. Zone Transfers:

    • Unrestricted transfers

    • Missing allow-transfer directive

  2. Recursion:

    • Open recursion

    • Missing allow-recursion directive

  3. Version Info:

    • Version disclosure

    • Unnecessary information leakage

Advanced Techniques

DNS Cache Snooping

# Check if record is cached
dig @DNS_IP domain.com +nocmd +noall +answer

# Time-based snooping
dig @DNS_IP domain.com +nocmd +noall +answer +ttl

DNS Amplification Testing

# Test amplification potential
dig any domain.com @DNS_IP +dnssec

# Check DNSSEC records
dig dnskey domain.com @DNS_IP

Common Vulnerabilities

  1. Misconfiguration Issues:

    • Open zone transfers

    • Recursive queries allowed

    • Information disclosure

    • Weak access controls

  2. Protocol Weaknesses:

    • Cache poisoning

    • DNS tunneling

    • Zone walking

    • Amplification attacks

  3. Implementation Issues:

    • Buffer overflows

    • DoS vulnerabilities

    • BIND vulnerabilities

Post Exploitation

Information Gathering

  • Map network infrastructure

  • Identify internal domains

  • Discover host naming patterns

  • Find related domains

  • Locate sensitive records

Further Enumeration

  • Internal DNS servers

  • Split-horizon DNS

  • Dynamic DNS zones

  • DNSSEC configuration

  • Secondary servers

Common Response Codes

Code
Meaning

NOERROR

Query successful

NXDOMAIN

Domain not found

SERVFAIL

Server failure

REFUSED

Query refused

FORMERR

Format error

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify DNS servers

    • Check version info

    • Test basic queries

    • Look for zone transfers

  2. Deep Enumeration:

    • Brute force subdomains

    • Check all record types

    • Test for misconfigurations

    • Map DNS infrastructure

  3. Documentation:

    • Record all findings

    • Note server versions

    • Document vulnerabilities

    • Save evidence

  4. Risk Assessment:

    • Evaluate impact

    • Consider data sensitivity

    • Check exploitation potential

    • Recommend fixes

Common Tools

  1. Enumeration:

    • dig

    • nslookup

    • host

    • dnsenum

    • fierce

  2. Subdomain Discovery:

    • gobuster

    • Sublist3r

    • Amass

    • Subfinder

  3. Analysis:

    • dnsrecon

    • dnswalk

    • dnsmap

    • massdns

Remember to always have proper authorization before testing and document all findings thoroughly.

PreviousSMTP Pentesting NotesNextNFS Pentesting Notes