DNS (53) - JA Smith

# Domain Name Service (DNS) Introduction - systems for resolving domains into IP addresses - no central database, instead akin library of many different phone books - mainly unencrypted - DNS over TLS (DoT) or DNS over HTTPS (DoH) can be used for enhanced security | Server Type | Description | | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS Root Server | responsible for TLDs; ICANN cooridnates the work fo root name servers; 13 such servers around the world | | authoratative NS | hold authority for a particular zones; only answer queries from their AOR with binding info; typically provide answers to recursive DNS nameservers | | non-authoratative NS | not responsible for a particular zone; instead, they colelct info on specific zones with recurisve or iterative queries | | caching DNS server | cache info form other name servers for specified period | | forwarding server | forwards DNS queiries to another DNS server | | resolver | performs local name resolution | | DNS Record Type | Description | | --------------- | ------------------------------------------------------------------------------ | | A | returns IPv4 address of requested domain | | AAAA | returns IPv6 address of requested domain | | MX | returns responsible mail servers | | NS | returns DNS servers for domain | | TXT | contains various info susch as SSL cert validation info, SPF, DMARC, etc. | | CNAME | alias for another domain | | PTR | converts IP addresses to domains or reverse lookup functionality | | SOA | provides info abotu correspomnding DNS zone and email address of admin contact | ```bash dig soa inlinefreight.com #returns SOA record ``` ## Footprinting DNS ```bash dig ns inlinefreight.com @<dns_server_ip> #query as to which name servers are known dig CH TXT inlinefreight.com @<dns_server_ip> #query DNS server version info dig any inlinefreight.com @<dns_server_ip> #query all available records dig axfr inlinefreight.com @<dns_server_ip> #attempt zone transfer over TCP 53 dig axfr internal.inlinefreight.com @<dns_server_ip> #attempt internal zone transfer ``` ### Subdomain Brute Forcing ```bash #!/bin/bash #for loop that run through specified wordlist and, finally, removes blank lines plus filters out lines with a semicolon or SOA for sub in $(cat /usr/share/seclists/Discovery/DNS/subdomains-xxx.txt); do dig $sub.inlanefreight.htb @<dns_server_ip> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt done #similar in effect to the above script dnsenum --dnsserver <dns_server_ip> --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-xxx.txt <domain> ``` ## DNS Config - typically 3 types of config files: local DNS config; zone files' reverse name resolution files - the Bind9 server is often used on Linux distros - local DNS config files: `named.conf.local`, `named.conf.options`, `named.conf.log` are located within `/etc/bind/` - zone file is a text file that describes a DNS zone with the BIND format - see `/etc/bind/db.domain.com` - reverse name resolution file: `/etc/bind/db.<ip_addr>` ### Dangerous DNS Config Settings | Option | Description | | --------------- | ---------------------------------------------------------------------------- | | allow-query | defines which hosts are allowed to send requests to the DNS server | | allow-recursion | defines which hosts are allowed to send recursive requests to the DNS server | | allow-transfer | defines which hosts are allowed to receive zone transfer from the DNS server | | zone-statistics | collect statistical data of zones |