DNS (Domain Name Systems) Pentesting

DNS is often called as a phonebook for internet. A default port is 53.

Enumeration

# Nmap
nmap --script dns-nsec-enum --script-args dns-nsec-enum.domains vulnerable.com -p 53 <target-ip>
nmap --script dns-random-srcport -p 53 <target-ip>
nmap --script dns-recursion -p 53 <target-ip>
nmap --script dns-service-discovery -p 53 <target-ip>
nmap --script dns-* -p 53 <target-ip>
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <target-ip>

# Get IP address from the domain
host example.com

# Reverse Lookup (Resolves domain name from IP address)
dig -x <ip>
dig -x 8.8.8.8

Online Tools

• DNSdumpster

Subdomain Discovery

Reference: Hackviser

dnsenum --dnsserver <target-ip> -f wordlist.txt example.com

# Do not scrape from Google search
# -p: The number of google search pages
# -s: The maximum number of subdomains that will be scraped from Google
dnsenum --dnsserver <target-ip> --enum -p 0 -s 0 -f wordlist.txt example.com

DNS Records

# ANY (all) record
dig example.com ANY
dig example.com @<dns-ip> ANY
dig example.com +nocmd +noall +answer ANY

# NS (nameserver) record
dig example.com NS

# TXT record
dig example.com TXT

# Specify a public DNS server
# Cloudflare
dig example.com @1.1.1.1
# Google
dig example.com @8.8.8.8
# Quad9
dig example.com @9.9.9.9

Zone Transfer

The zone transfer is the process of copying the zone file on a primary DNS server to a secondary DNS server.

# axfr: Check if the Full Zone Transfer (AXFR) is available
dig @<nameserver> AXFR
dig example.com @<nameserver> AXFR
dig example.com @example.com AXFR
dig <zone-name> @<nameserver> AXFR

BIND

BIND is the most commonly used DNS server.

# BIND version
dig @<nameserver-address> chaos txt version.bind

Configuration Files

# In Linux
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

Update DNS Zone

If we found the secret key such like below, we can update DNS zone.

# /etc/bind/named.conf

key "rndc-key" {
    algorithm hmac-sha256;
    secret "zBatC828gunRa...bA=";
};

To update, run the following command using the key.

# -d: Debug mode
# -y: Set the literal TSIG (Transaction Signature) authentication key.
nsupdate -d -y hmac-sha256:rndc-key:zBatC828gunRa...bA= 
Creating key...
namefromtext
keycreate
# Enter target domain
> server example.com
# Enter the new record
# 86400: The TTL (Time-To-Live) for the DNS record. Set 86400 seconds (24 hours) here.
# IN: Internet
# A: A record
# 10.0.0.1: Set your local ip address
> update add sub.example.com 86400 IN A 10.0.0.1
> send
Reply from SOA query:

...

Resolve Domains and IP Addresses in /etc/hosts

Edit /etc/hosts file as root to add custom domains.

127.0.0.1  localhost

# Add the custom domain
10.0.0.2  vulnerable.com sub.vulnerable.com
10.0.0.3  vulnerable2.com

If you want to force the system to reflect the changes, restart hostnamed.

sudo systemctl restart systemd-hostnamed

Set DNS Resolver in /etc/resolv.conf

Edit /etc/resolv.conf file as root to add custom nameservers.

Google Nameservers

nameserver 8.8.8.8
nameserver 8.8.4.4

# IPv6
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Cloudflare Nameservers

nameserver 1.1.1.1

If you want to force the system to reflect the changes, restart resolved.

sudo systemctl restart systemd-resolved.service

DNS Spoofing

Also known as DNS cache poisoning. It corrupts Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.

Flush the DNS Cache

Clear IP addresses or DNS records from caches.

sudo resolvectl flush-caches
# or
sudo systemd-resolve --flush-cache

Check DNS caches are actually flushed

sudo resolvectl statistics
# or
sudo systemd-resolve --statistics

DNS Exfiltration

dns-exfil-infil

DNS Infiltration

Coming soon...

DNS Tunneling

Iodine