DNS ( 53 )

Resources

• DNS Core
  • What is SOA record : https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/
  • IXFR & AXFR : https://medium.com/@packetnaut/demystifying-dns-zone-transfers-a-guide-to-ixfr-and-axfr-protocols-with-tcpdump-examples-ff2e80c43397
  • Recursive vs Iterative dns : https://www.cloudflare.com/learning/dns/what-is-recursive-dns/
• Exploitation
  • Popular Attacks : https://web.archive.org/web/20250329174745/https://securitytrails.com/blog/most-popular-types-dns-attacks
  • Practice Lab : https://digi.ninja/projects/zonetransferme.php

Cheat sheet

• By secybr : https://secybr.com/posts/dns-pentesting-best-practicies/
• By snovvcras.sh : https://ppn.snovvcra.sh/pentest/perimeter/dns

Commands

• Query for Start of Authority (SOA) Record
  • Identifies the primary name server, admin contact, and zone timers.

    dig soa www.inlanefreight.com
    whois facebook.com

• Query for Name Server (NS) Records
  • Finds the authoritative DNS servers for a domain.

    dig ns inlanefreight.htb @10.129.14.128
    nslookup -type=ns facebook.com

• Query for Any Record Type
  • A broad query to retrieve all available DNS record types.

    dig any inlanefreight.htb @10.129.14.128
    dig any @81.4.108.41 zonetransfer.me

• Query Specific Record Types (A, AAAA, TXT, MX)
  • Used to find IPv4, IPv6, text, and mail exchange records.

    dig A @81.4.108.41 zonetransfer.me
    dig AAAA @81.4.108.41 zonetransfer.me
    dig TXT @81.4.108.41 zonetransfer.me
    dig MX @81.4.108.41 zonetransfer.me

• Query for DNS Server Version
  • Attempts to get the BIND version of the DNS server.

    dig CH TXT version.bind 10.129.120.85
    dig version.bind CHAOS TXT @nsztm1.digi.ninja

• Attempt an AXFR Zone Transfer
  • If successful, this downloads a copy of the entire DNS zone, revealing all hostnames.

    dig axfr inlanefreight.htb @10.129.14.128
    dig axfr internal.inlanefreight.htb @10.129.14.128
    dig axfr @81.4.108.41 zonetransfer.me

• Nmap Zone Transfer Script
  • An alternative method using Nmap’s scripting engine.

    nmap -Pn -sU --script=dns-check-zone -p 53 facebook.com

• Bash One-Liner with dig
  • Iterates through a wordlist to find valid subdomains.

    for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

• Automated Tools (dnsenum, dnsrecon, dnscan, fierce)
  • These tools automate the process of zone transfers, brute-forcing, and reverse lookups.

    dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb
     
    dnsrecon -d zonetransfer.me -a -n 81.4.108.41
     
    python3 dnscan.py -d facebook.com -w subdomains-10000.txt -r
     
    fierce --domain facebook.com --subdomains admin call voip

• Reverse DNS Lookup (PTR Scan)
  • Scans an IP range and attempts to find associated hostnames.

    dnsrecon -r 176.124.112.0/24 -n 176.124.112.77

• IPv6 DNS Enumeration
  • Brute-force subdomains using a dictionary optimized for IPv6.

    dnsdict6 zonetransfer.me

  • Perform a reverse lookup on an IPv6 range.

    dnsrevenum6 pri.authdns.ripe.net 1301:37d:2e8::/48

• Metasploit & Nmap DNS Scripts
  • Use Metasploit’s DNS enumeration module.

    msf > use auxiliary/gather/enum_dns
    

  • Run a collection of default and useful DNS-related scripts with Nmap.

    nmap -Pn -sU -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" 81.4.108.41

• Check for DNS Recursion ( DNS Amplification )
  • RA (Recursion Available) in the dig header indicates the server may resolve external domains.

    dig A @81.4.108.41 zonetransfer.me
    nmap -Pn -sU -p 53 --script=dns-recursion 81.4.108.41

Tools

• dnscan : https://github.com/rbsec/dnscan
• fierce : https://github.com/mschwager/fierce
• thc-ipv6 : https://github.com/vanhauser-thc/thc-ipv6
• reverseip : https://viewdns.info/reverseip/
• wordlist : Part1

Notes

DNS Server Types Explained

Server Type	Simple Explanation (Analogy)	Real-World Example
Resolver	Your personal, local contact list.	The hosts file on your computer.
Caching DNS Server	The main receptionist for your local office building who remembers recent lookups.	Google’s 8.8.8.8 or your ISP’s DNS.
Forwarding Server	A junior receptionist who just passes all questions to the main receptionist.	A small office router forwarding DNS to an ISP.
DNS Root Server	The global headquarters directory that points you to the right continental division (e.g., .com).	a.root-servers.net.
Authoritative Nameserver	The official employee directory for a specific company branch (e.g., “google.com”) that has the master record.	ns1.google.com.
Non-authoritative Nameserver	Any receptionist giving you an answer they learned from someone else.	8.8.8.8 when it tells you the IP for microsoft.com.

Common DNS Record Types

DNS Record	Description
A	Returns the IPv4 address for a domain.
AAAA	Returns the IPv6 address for a domain.
MX	Returns the responsible mail servers for a domain.
NS	Returns the authoritative nameservers (DNS servers) for a domain.
TXT	Contains arbitrary text; used for verification, email security (SPF, DMARC), etc.
CNAME	Acts as an alias, making one domain point to another domain (not an IP).
PTR	Performs a reverse lookup, converting an IP address back to a domain name.
SOA	Provides administrative information about the DNS zone (e.g., primary nameserver, admin contact).

Danger

For security reasons, nearly all DNS servers are configured to deny zone transfer requests from the general public. Giving away a complete list of all your servers and subdomains is a huge security risk, as it provides a perfect map for an attacker.