đ¨DNS
(TCP/UDP 53)
âšī¸ Introduction
TCP port 53 by default, fall back to UDP port 53 if not possible.
âī¸ Checklist
Quick Check
DNS Enumeration
nslookup
run in interactive mode:
dig
mostly used to perform a zone transfer
fierce
nmap
dnsrecon
dnsrecon -d [domain]
- Displays S0A, NS, A , AAAA , MX, and SRV of the target domaindnsrecon -d [domain] -t rvl
- Performs reverse DNS lookup for IP address or CIDR rangednsrecon -d [domain] -t axfr
- Attempts a zone transfer of all NS record nameserversdn
srecon -d [domain] -t zonewalk
- Performs a DNSSEC zone walk by querying for NSEC recordsdnsrecon -d [domain] -t snoop
- D [dictionary file] - Scans for DNS cache snooping using a supplied dictionary file
DNSRecon can also perform subdomain brute forcing with a dictionary using the following command:
âĸ dnsrecon -d [domain ] -t brt - D [dictionary file]
Finally DNSRecon can output the returned data to an XML file using the â xml [output file] flag or to an SQLite database using the db [output file] flag
dnsmap
host
dnsenum
Identifying private addresses by using dig
bash zone transfer
here is a simple bash script which performs a zone transfer:
IPv6
Brute force using "AAAA" requests to gather IPv6 of the subdomains.
Bruteforce reverse DNS in usi ng IPv6 addresses
NSEC / NSEC3
You can quiz name servers supporting DNSSEC to reveal valid hostnames. Scripts that automate this are dns-nsec-enum and dns-nsec3-enum
DNS Recursion DDoS
If DNS recursion is enabled, an attacker could spoof the origin on the UDP packet in order to make the DNS send the response to the victim server. An attacker could abuse ANY or DNSSEC record types as they use to have the bigger responses. The way to check if a DNS supports recursion is to query a domain name and check if the flag "ra" (recursion available) is in the response
Known Vulnerabilities
SIGRed
Simple DNS Plus Remote DoS
Last updated