DNS Reconnaissance

alt

Overview

The internet and the web would not function without DNS servers. DNS is an integral part of our experience of the internet. DNS resolves names to ip addresses allowing us to type in www.yahoo.com into the address bar without having to remember the ip address 209.191.122.70 instead. Imagine having to put ip addresses into Internet Explorer to do all your surfing…yuck!

From a security/reconnaissance point of view, DNS can be exploited, and offer a means of discovery of an organization’s public and possibly private servers, services and the corresponding ip address locations. By necessity a domain’s authoritative DNS server will give information regarding the domain’s mail servers and DNS servers. We can resolve domain names, DNS servers, and mail servers to ip addresses using the following tools: nslookup, host, and dig.  A great resource about DNS can be found here: https://webhostinggeeks.com/guides/dns/

Nslookup

By typing in nslookup into a command prompt or Linux terminal shell. You will resolve DNS-to-ip-address queries using whatever DNS server has been configured in your network settings. In the following example I use nslookup to access my locally configured DNS server and resolve the “A” record or address record for “yahoo.com”:

    >nslookup
Default Server:
Address:

    >yahoo.com

 

alt

 Notice: How I put the IP address in the address bar and it successfully resolves to the Yahoo web server
alt

If we want to query mail servers we put in the following commands:

    >set type=mx
>somedomain.com

In the example below nslookup has discovered 3 mail servers 

alt

If we want to query for authoritative DNS servers for a domain we put in the following commands:

    >set type=ns
>somedomain.com

 

In the example below nslookup has discovered 7 authoritative name servers

 alt

DNS Reconnaissance Techniques

Offensive Security, the makers of BackTrack, stress the importance of automating information gathering techniques. They delineate DNS information gathering into 3 main types:

  • Forward lookup brute force – Resolving domain names to ip addresses
  • Reverse lookup brute force – Resolving ip addresses to domain names
  • Zone transfers – Acquiring an entire DNS server zone

In order to learn all of these techniques you can use the “host” command.

Host Command

Forward Lookup brute force

The host command line utility is similar to the dig utility and nslookup, it is used for domain name system lookups.  The following command will attempt to resolve a domain name (i.e. server) to an ip address. In other words if I wanted to know if there is a server at www.somename.com I would type in the following command:

#host <www.somename.com>

This can be called “forward lookup brute force” because I am guessing at server names and trying to resolve ip addresses of potentially available online servers. See my results below resolving the college server’s ip addresses. As you can see I was able to find a few available and unavailable servers by guessing at subdomain names:

 

 alt

 

Reverse Lookup brute force

A reverse lookup is similar to a forward lookup except it attempts to resolve domain names from ip addresses:

#host <ip-address>

 

Zone Transfers

A zone transfer attempts to take advantage of a mis-configured nameserver by pretending to be another nameserver, and requesting all DNS zone information. Notice in the example below, that the nameserver has a dot included after the domain name. A successful zone transfer will reveal all of the information for the DNS zone, including the IP address resolutions for all domains, subdomains, DNS records, and servers within the zone.

 #host -l <domain-attacked> <nameserverofdomain-attacked>

Example:

 #host -l somedomain.com ns.somedomain.com.

 

Using Automation

This process of looking up domain names (servers) can be automated by making a list of commonly used domain prefixes used as subdomain names for servers and saving it as a text file. The following prefix names typically indicate a server or network device on a domain. Add to the list and save it as a text file, “subdomains.txt”:
www
www2
mail
mx
mx1
mx2
smtp
exchange
proxy
router
firewall
fw
ldap
sslvpn
backup
demo
test
admin
web
ns1
ns2
ns3
security
sql
tacacs
netbios
cisco
smb
imap
timbuktu
syslog
forum
public
ftp
blog

Note: BackTrack has a list of typical prefix names located in: /pentest/enumeration/dnsenum/dns.txt
For more information on DNS: http://en.wikipedia.org/wiki/List_of_DNS_record_types

Now that you have a list of typical domain prefixes you might want to automate the IP address resolution for quick searches. Here is a simple Bash script which will loop through the subdomains.txt text file executing host commands on a target domain name. Save it as a “.sh” file (“dnshostscript.sh”), give it executable permissions (chmod 755 dnshostscript), and run it (“./dnshostscript.sh”)  :

#!/bin/bash
for name in $(cat subdomains.txt);do
host $name.somedomain.com | grep “has address” | cut -d” ” -f4
done

 

Here is a sample Python script that will enumerate addresses from a prefix list text file and a target domain name. Instead of using the host command it relies on Pythons built in socket tools to resolve host names to ip addresses:
getsubdomainips.py

Usage: #python getsubdomains.py [file of prefixes] [target domain name]
(eg. #python getsubdomains.py subdomains.txt somedomain.com)

 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *