DNS (Domain Name Systems) Pentesting

DNS is often called as a phonebook for internet. A default port is 53.

Enumeration

You can use Nmap to enumerate automatically.

nmap --script dns-nsec-enum --script-args dns-nsec-enum.domains vulnerable.com -p 53 <target-ip>
nmap --script dns-random-srcport -p 53 <target-ip>
nmap --script dns-recursion -p 53 <target-ip>
nmap --script dns-service-discovery -p 53 <target-ip>
nmap --script dns-* -p 53 <target-ip>

nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <target-ip>


Investigation

DNSdumpster is an online tool for reconnaissance DNS records.

IP Address from the Domain

host example.com

DNS Records

# ANY (all) record
did example.com ANY
dig example.com @<dns-ip> ANY
dig example.com +nocmd +noall +answer ANY

# NS (nameserver) record
dig example.com NS

# TXT record
dig example.com TXT

# Specify a public DNS server
# Cloudflare
dig example.com @1.1.1.1
# Google
dig example.com @8.8.8.8
# Quad9
dig example.com @9.9.9.9

Zone Transfer

The zone transfer is the process of copying the zone file on a primary DNS server to a secondary DNS server.

# axfr: Check if the Full Zone Transfer (AXFR) is available
dig @<nameserver> AXFR
dig example.com @<nameserver> AXFR
dig example.com @example.com AXFR
dig <zone-name> @<nameserver> AXFR


BIND

BIND is the most commonly used DNS server.

# BIND version
dig @<nameserver-address> chaos txt version.bind

Configuration Files

# Linux
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

Update DNS Zone

If we found the secret key such like below, we can update DNS zone.

# /etc/bind/named.conf

key "rndc-key" {
    algorithm hmac-sha256;
    secret "zBatC828gunRa...bA=";
};

To update, run the following command using the key. 

# -d: Debug mode
# -y: Set the literal TSIG (Transaction Signature) authentication key.
nsupdate -d -y hmac-sha256:rndc-key:zBatC828gunRa...bA= 
Creating key...
namefromtext
keycreate
# Enter target domain
> server example.com
# Enter the new record
# 86400: The TTL (Time-To-Live) for the DNS record. Set 86400 seconds (24 hours) here.
# IN: Internet
# A: A record
# 10.0.0.1: Set your local ip address
> update add sub.example.com 86400 IN A 10.0.0.1
> send
Reply from SOA query:

...


Reverse Lookup

Resolves a domain name from given IP address.

dig -x <ip>
dig -x 8.8.8.8


Resolve Domains and IP Addresses in /etc/hosts

Edit /etc/hosts file as root to add custom domains. 

127.0.0.1  localhost

# Add the custom domain
10.0.0.2  vulnerable.com sub.vulnerable.com
10.0.0.3  vulnerable2.com

If you want to force the system to reflect the changes, restart hostnamed.

sudo systemctl restart systemd-hostnamed


Set DNS Resolver in /etc/resolv.conf

Edit /etc/resolv.conf file as root to add custom nameservers.

Google Nameservers

nameserver 8.8.8.8
nameserver 8.8.4.4

# IPv6
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Cloudflare Nameservers

nameserver 1.1.1.1

If you want to force the system to reflect the changes, restart resolved.

sudo systemctl restart systemd-resolved.service


DNS Spoofing

Also known as DNS cache poisoning. It corrupts Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address.


Flush the DNS Cache

Clear IP addresses or DNS records from caches.

sudo resolvectl flush-caches
# or
sudo systemd-resolve --flush-cache

Check DNS caches are actually flushed

sudo resolvectl statistics
# or
sudo systemd-resolve --statistics


DNS Exfiltration

dns-exfil-infil


DNS Infiltration

Coming soon...


DNS Tunneling

Iodine