The internet and the web would not function without DNS servers. DNS is an integral part of our experience of the internet. DNS resolves names to ip addresses allowing us to type in www.yahoo.com into the address bar without having to remember the ip address 126.96.36.199 instead. Imagine having to put ip addresses into Internet Explorer to do all your surfing…yuck!
From a security/reconnaissance point of view, DNS can be exploited, and offer a means of discovery of an organization’s public and possibly private servers, services and the corresponding ip address locations. By necessity a domain’s authoritative DNS server will give information regarding the domain’s mail servers and DNS servers. We can resolve domain names, DNS servers, and mail servers to ip addresses using the following tools: nslookup, host, and dig. A great resource about DNS can be found here: https://webhostinggeeks.com/guides/dns/
By typing in nslookup into a command prompt or Linux terminal shell. You will resolve DNS-to-ip-address queries using whatever DNS server has been configured in your network settings. In the following example I use nslookup to access my locally configured DNS server and resolve the “A” record or address record for “yahoo.com”:
If we want to query mail servers we put in the following commands:
In the example below nslookup has discovered 3 mail servers
If we want to query for authoritative DNS servers for a domain we put in the following commands:
In the example below nslookup has discovered 7 authoritative name servers
DNS Reconnaissance Techniques
Offensive Security, the makers of BackTrack, stress the importance of automating information gathering techniques. They delineate DNS information gathering into 3 main types:
- Forward lookup brute force – Resolving domain names to ip addresses
- Reverse lookup brute force – Resolving ip addresses to domain names
- Zone transfers – Acquiring an entire DNS server zone
In order to learn all of these techniques you can use the “host” command.
Forward Lookup brute force
The host command line utility is similar to the dig utility and nslookup, it is used for domain name system lookups. The following command will attempt to resolve a domain name (i.e. server) to an ip address. In other words if I wanted to know if there is a server at www.somename.com I would type in the following command:
This can be called “forward lookup brute force” because I am guessing at server names and trying to resolve ip addresses of potentially available online servers. See my results below resolving the college server’s ip addresses. As you can see I was able to find a few available and unavailable servers by guessing at subdomain names:
Reverse Lookup brute force
A reverse lookup is similar to a forward lookup except it attempts to resolve domain names from ip addresses:
A zone transfer attempts to take advantage of a mis-configured nameserver by pretending to be another nameserver, and requesting all DNS zone information. Notice in the example below, that the nameserver has a dot included after the domain name. A successful zone transfer will reveal all of the information for the DNS zone, including the IP address resolutions for all domains, subdomains, DNS records, and servers within the zone.
#host -l <domain-attacked> <nameserver–of–domain-attacked>
#host -l somedomain.com ns.somedomain.com.
This process of looking up domain names (servers) can be automated by making a list of commonly used domain prefixes used as subdomain names for servers and saving it as a text file. The following prefix names typically indicate a server or network device on a domain. Add to the list and save it as a text file, “subdomains.txt”:
Note: BackTrack has a list of typical prefix names located in: /pentest/enumeration/dnsenum/dns.txt
For more information on DNS: http://en.wikipedia.org/wiki/List_of_DNS_record_types
Now that you have a list of typical domain prefixes you might want to automate the IP address resolution for quick searches. Here is a simple Bash script which will loop through the subdomains.txt text file executing host commands on a target domain name. Save it as a “.sh” file (“dnshostscript.sh”), give it executable permissions (chmod 755 dnshostscript), and run it (“./dnshostscript.sh”) :
for name in $(cat subdomains.txt);do
host $name.somedomain.com | grep “has address” | cut -d” ” -f4
Here is a sample Python script that will enumerate addresses from a prefix list text file and a target domain name. Instead of using the host command it relies on Pythons built in socket tools to resolve host names to ip addresses:
Usage: #python getsubdomains.py [file of prefixes] [target domain name]
(eg. #python getsubdomains.py subdomains.txt somedomain.com)