DNS Pentesting Notes

Protocol Overview

Basic Information

Port: UDP/TCP 53
Protocol Type: Application layer
Purpose: Domain name resolution to IP addresses
Security: Minimal built-in security, often unencrypted

DNS Server Types

Root Servers
- Manages TLDs
- 13 servers worldwide
- Governed by ICANN
Authoritative Servers
- Hold authority over specific zones
- Provide definitive answers
Non-authoritative/Caching Servers
- Store temporary DNS information
- Forward queries to other servers

Initial Enumeration

Basic DNS Queries

# NS record query
dig ns domain.com @DNS_IP

# MX record query
dig mx domain.com @DNS_IP

# ANY query
dig any domain.com @DNS_IP

# Version query (if enabled)
dig CH TXT version.bind @DNS_IP

# Reverse lookup
dig -x IP_ADDRESS @DNS_IP

Banner Grabbing

# Using nmap
nmap -sV -p53 DNS_IP

# Using netcat (UDP)
nc -u DNS_IP 53

# Using dig version query
dig chaos txt version.bind @DNS_IP

Record Types and Queries

Common Record Types

Record

Purpose

IPv4 address mapping

AAAA

IPv6 address mapping

Mail server records

Nameserver records

TXT

Miscellaneous information

CNAME

Domain aliases

PTR

Reverse DNS lookups

SOA

Zone authority info

Querying Records

# A records
dig a domain.com @DNS_IP

# AAAA records
dig aaaa domain.com @DNS_IP

# TXT records
dig txt domain.com @DNS_IP

# SOA record
dig soa domain.com @DNS_IP

Zone Transfers

Testing Zone Transfers

# Using dig
dig axfr domain.com @DNS_IP

# Using host
host -l domain.com DNS_IP

# Testing internal zones
dig axfr internal.domain.com @DNS_IP

Automated Zone Transfer Tools

# Using nmap
nmap --script dns-zone-transfer -p53 DNS_IP

# Using fierce
fierce --domain domain.com --dns-servers DNS_IP

# Using dnsrecon
dnsrecon -d domain.com -t axfr -n DNS_IP

Subdomain Enumeration

Using DNS Tools

# Using gobuster
gobuster dns -d domain.com -w wordlist.txt -r DNS_IP

# Using dnsenum
dnsenum --dnsserver DNS_IP --enum -f wordlist.txt domain.com

# Using Sublist3r
sublist3r -d domain.com -n

Bash One-liners

# Using dig with loop
for sub in $(cat wordlist.txt); do
    dig $sub.domain.com @DNS_IP | grep -v ';\|SOA' | sed -r '/^\s*$/d'
done

# Using host with loop
for sub in $(cat wordlist.txt); do
    host $sub.domain.com DNS_IP
done

Common NSE Scripts

# All DNS scripts
nmap --script "dns-*" -p53 DNS_IP

# Common individual scripts
nmap -p53 --script dns-zone-transfer DNS_IP
nmap -p53 --script dns-srv-enum DNS_IP
nmap -p53 --script dns-brute DNS_IP

Configuration Files

BIND Configuration

Main config: /etc/bind/named.conf
Local zones: /etc/bind/named.conf.local
Options: /etc/bind/named.conf.options
Zone files: /var/cache/bind/
Logs: /var/log/named/

Common Misconfigurations

Zone Transfers:
- Unrestricted transfers
- Missing allow-transfer directive
Recursion:
- Open recursion
- Missing allow-recursion directive
Version Info:
- Version disclosure
- Unnecessary information leakage

Advanced Techniques

DNS Cache Snooping

# Check if record is cached
dig @DNS_IP domain.com +nocmd +noall +answer

# Time-based snooping
dig @DNS_IP domain.com +nocmd +noall +answer +ttl

DNS Amplification Testing

# Test amplification potential
dig any domain.com @DNS_IP +dnssec

# Check DNSSEC records
dig dnskey domain.com @DNS_IP

Common Vulnerabilities

Misconfiguration Issues:
- Open zone transfers
- Recursive queries allowed
- Information disclosure
- Weak access controls
Protocol Weaknesses:
- Cache poisoning
- DNS tunneling
- Zone walking
- Amplification attacks
Implementation Issues:
- Buffer overflows
- DoS vulnerabilities
- BIND vulnerabilities

Post Exploitation

Information Gathering

Map network infrastructure
Identify internal domains
Discover host naming patterns
Find related domains
Locate sensitive records

Further Enumeration

Internal DNS servers
Split-horizon DNS
Dynamic DNS zones
DNSSEC configuration
Secondary servers

Common Response Codes

Code

Meaning

NOERROR

Query successful

NXDOMAIN

Domain not found

SERVFAIL

Server failure

REFUSED

Query refused

FORMERR

Format error

Best Practices for Pentesting

Initial Reconnaissance:
- Identify DNS servers
- Check version info
- Test basic queries
- Look for zone transfers
Deep Enumeration:
- Brute force subdomains
- Check all record types
- Test for misconfigurations
- Map DNS infrastructure
Documentation:
- Record all findings
- Note server versions
- Document vulnerabilities
- Save evidence
Risk Assessment:
- Evaluate impact
- Consider data sensitivity
- Check exploitation potential
- Recommend fixes

Common Tools

Enumeration:
- dig
- nslookup
- host
- dnsenum
- fierce
Subdomain Discovery:
- gobuster
- Sublist3r
- Amass
- Subfinder
Analysis:
- dnsrecon
- dnswalk
- dnsmap
- massdns

Remember to always have proper authorization before testing and document all findings thoroughly.

PreviousSMTP Pentesting Notes NextNFS Pentesting Notes

hashtagProtocol Overview

hashtagBasic Information

hashtagDNS Server Types

hashtagInitial Enumeration

hashtagBasic DNS Queries

hashtagBanner Grabbing

hashtagRecord Types and Queries

hashtagCommon Record Types

hashtagQuerying Records

hashtagZone Transfers

hashtagTesting Zone Transfers

hashtagAutomated Zone Transfer Tools

hashtagSubdomain Enumeration

hashtagUsing DNS Tools

hashtagBash One-liners

hashtagCommon NSE Scripts

hashtagConfiguration Files

hashtagBIND Configuration

hashtagCommon Misconfigurations

hashtagAdvanced Techniques

hashtagDNS Cache Snooping

hashtagDNS Amplification Testing

hashtagCommon Vulnerabilities

hashtagPost Exploitation

hashtagInformation Gathering

hashtagFurther Enumeration

hashtagCommon Response Codes

hashtagBest Practices for Pentesting

hashtagCommon Tools