Skip to content

sator-sdk/DNS-Enumeration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits

DNS-Enumeration.md

DNS-Enumeration.md

 
 

README.md

README.md

 
 

Repository files navigation

DNS Enumeration

Table of contents

DNS Record types

  • SOA: The Start of Authority record contains administrative information about the zone transfers. This record shows the DNS server that contains the best (Authoritative) source of information for that specific domain. The output includes the primary name server, mail address, TTL, and more.

  • NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.

  • A: Also known as a host record, the "a record" contains the IP address of a hostname.

  • AAAA: IPv6 address.

  • MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.

  • PTR: Pointer Records are used in reverse lookup zones and are used to find the records associated with an IP address.

  • CNAME: Canonical Name Records are used to create aliases for other host records.

  • TXT: Text records can contain any arbitrary data and can be used for various purposes, such as domain ownership verification.

All record types

Forwardlookup

Get an IP of a Hostname

#(subdomain required in most situations)
# Basic host command:
host www.domain.com
# By default, the host command looks for an A record that is waht we want right now (modifyable option with -t)

# Basic dig command:
dig www.domain.com
# tweaked for retreaving only the required info (IP of domain.com A record in that case)
dig www.domain.com +short
# tweaked for retreaving a more extensive output of the required info (IP of domain.com A record in that case)
dig www.domain.com +noall +answer

# nslookup
nslookup www.domain.com

Query a specific type of DNS Record

# host:
host -t <record-type> domain.com

# dig:
dig domain.com <record-type> +noall +answer
# variant for querying a specif DNS server ip
dig @<dns_ip> domain.com <record-type> +noall +answer
# Request ALL Record Types availables
dig @<dns_ip> domain.com any +noall +answer

# nslookup:
nslookup -type=<record-type> domain.com

Trace DNS route

Follow the delegation path from the root name servers for the name being looked up.

dig +tarce +short domain.com

TTL

Time to Live

dig +noall +answer +ttlid a domain.com

Name Server

A Name server is used for handling requests related to a domain, and those are the authoritative name servers. Multiple name server tipically exist for a domain, for many reasons, and all are or should be in many cases sync with each other. Built as a hierarchy a Main(Master) NS is the one that controll the other distributed NS that ask to the main all the necessary info, and are responsible for Zone tranfer that is actually a request of dump everything that the Main NS have (record etc.). Properly configured only other NS of the same domain are allowed to ask for thos type of procedure. So if the querying client is not properly checked a Zone transfer from a non authorized source could happen. (More later)

Find Name Server:

  1. Query the domain NS record
  2. Retrieve the IP of the newly founded name server
# Nameserver Hostname
dig domain.com ns +noall +answer
host -t ns domain.com
nslookup -type=ns domain.com

# IPv4
#
dig <nameserver-hostname> +noall +answer
host <nameserver-hostname>
nslookup <nameserver-hostname>

Another trick is to Resolve a domain name directly from the Authoritative DNS Server:

# find the SOA
dig soa domain.com
host -t soa domain.com
nslookup -type=soa domain.com

# perform another lookup specifying the nameserver
dig @<nameserver-hostname> domain.com
nslookup domain.com <nameserver-hostname>
# And thi will give both info about the domain IP and NS IP

Query another DNS server

If not NS is given to the dig command, dig automatically use the servers listed in the default /etc/resolv.conf file. To specify a name server against which the query will be executed, use the @ (at) symbol followed by the name server IP address or hostname. This option is also available in nslookup by adding the ip of choosen DNS server to query after the target domain, and also with the `host command it works the same way. This is a crucial step when searching for info about a domain that has records and hosts splited.

dig @<dns-server-ip> domain.com
host domain.com <dns-server-ip>
nslookup domain.com <dns-server-ip>

/etc/resolv.conf

It's crucial to keep in mind that if you are dealing with a private network or a particular situation in which the the name server is not reachable directly from your DSN configuaretions, you need to manually add the private/custom dns NS to the resolv.conf file in order to be able to comunicate with it properly! And it have to be added at the beginning before your default nameserver:

# resolvc.conf
#Generated by NetworkManager
#search isp <--- comment this
nameserver 192.168.50.71 <--- #here 
nameserver 192.168.1.1
nameserver ipv6

There is also a resolvconf app that can handle all of this for you, if you don't want to doit manually.

ReverseLookup

Get the Hostname of an IP

# host:
host <ip>

# dig:
dig -x <ip> +short
# reverse lookup trick - write in reverse order the IP=192.168.23.66 you are about to query and add .in-addr.arpa making the dig comand requieting a PTR record:
dig 66.23.168.192.in-addr.arpa PTR

# nslookup:
# nslookup by default automatically attmpt to query or an A record if a hostname is provided or a PTR record for indeed a reverse lookup to find the domain name at which an IP is pointing
nslookup domain.com

Nmap Scan Reverselookup

Scan a target range for a reverse DNS lookup

# -sL: perform only a dns resolution not a proper scan
# --dns-servers: External dns has been added (handle the traffic volume)
 nmap --dns-servers 8.8.8.8,1.1.1.1 -sL 200.12.94.0/24 177.123.45.0/24

Subdomain Enumeration

dnsrecon

dnsrecon -d domain.com -D /usr/share/seclists/Discovery/DNS/... -t brt

bash

for i in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt); do host $i.domain.com; done | grep "has address"

Zone Transfer

DNS Zone Wiki

DNS Zone Transfer Wiki

# host
host -l domain.com <nameserver-ip>
# complete info with all the records
host -a -l domain.com <nameserver-ip>

# dig
dig axfr @<nameserver-ip> domain.com
#
dig axfr @<nameserver-ip> domain.com +answer > zonetransfer
cat zonetransfer | grep domain.com | grep IN | awk '{print $1}' | sed 's/\.$//g' | sort -u > livetargets
# if scanning private network add these results in /etc/hosts
# instead of adding multiple host lines just add one host IP with multiple values separeated by space
tr '\n' ' ' < livetargets > add_to_hosts

# dnsrecon
dnsrecon -d domain.com -t axfr

# dnsenum
dnsenum domain.com

Scan result targets introduction of three extremely powerful instruments, detailed guide on each of those later on. Aquatone is slow and not mantained anymore so I dont suggest it anymore.

# append http:// at the beginning of each domain name
sed 's/^/https:\/\//' livetargets > www-livetargets
# or the following command to overwrite the file
sed -i 's/^/https:\/\//' livetargets

# httpx
subfinder -d domain.com -silent | httpx -title -tech-detect -status-code
##or
dig axfr @<nameserver-ip> domain.com +answer > zonetransfer
cat zonetransfer | grep domain.com | grep IN | awk '{print $1}' | sed 's/\.$//g' | sort -u > livetargets
cat livetargets | httpx -title -tech-detect -status-code

# aquatone
cat www-livetargets | aquatone

Useful guide link

Host discovering automation

dnsrecon

Internal network discovery

# SQLite DB file
dnsrecon -n <namserver-ip> -r 192.168.0.0/24 --db target.db

Just brief example with host command, customizable.

#
for ip in $(cat ip-targets-list.txt); do host $ip; done | grep -v "not found"

#
for i in $(seq 1 256); do host 192.168.200.$i; done | grep -v "not found"

Wildcard entries and Bypass

A wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names. Wiki

TO DO

Additional dig features

Force IP transport version

# IPv4
dig -4 <normal-query>
# IPv6
dig -6 <normal-query>

Specify Port Number

# 
dig -p 666 <normal-query>

Use the +[no]vc or +[no]tcp flag to control TCP or UDP protcols. Please note that all AXFR queries always use TCP.

Clear DNS Cache

# Windows
# renew IPv4
ipconfig /release
ipconfig /renew
# flush dns cache
ipconfig /flushdns

# Linux
# Check first if the system is storing DNC cache
systemctl is-active systemd-resolve
# If the response is “active”, DNS caching is taking place. If the output is “inactive” , the caching is disabled
# use the systemd-resolve or resolvectl command with the statistics option to see how many records are in the cache
systemd-resolve --statistics
resolvectl statistics
# 
sudo killall -USR1 systemd-resolve
#
sudo journalctl -u systemd-resolve > dns.txt
#
cat dns.txt 
less dns.txt
# Then to Flush Debian/Ubuntu
sudo systemd-resolve --flush-caches
# other distro
sudo /etc/init.d/nscd restart
# or
resolvectl flush-caches

Linux source and explanation

Renew IP address in Linux

Tools

Websites

About

DNS enumeration techniques and commands

Topics

dns-enumeration

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published