Questions about this topic? Sign up to ask in the talk tab.

DNS

From NetSec
Jump to: navigation, search

Domain Name System

DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.

DNS Basics

The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.

DNS Recon

In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:

host random.com

That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.

Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:

host -tns random.com

This would give return the dns servers for random.com, allowing you to do something like:

host -l random.com. ns75.worldnic.com

In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:

outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39

Records

MX Record

Mail eXchanger Record

This record prioritizes email delivery for specific domains over multiple protocols.


BIND Syntax Example:

 domain.tld.    300    IN    MX    1    aspmx.l.google.com.
 domain.tld.    300    IN    MX    5    alt1.aspmx.l.google.com.
 domain.tld.    300    IN    MX    5    alt2.aspmx.l.google.com.
 domain.tld.    300    IN    MX    10   aspmx2.googlemail.com.
 domain.tld.    300    IN    MX    10   aspmx3.googlemail.com.
  • The first domain.tld. represents the mailserver hostname.
  • The second hostname at the end of each line represents the domain name to deliver mail for

The 1,5,5,10,10 numbers are the priority of the mailservers for that specific domain. The lower the number, the higher the priority.

CNAME Record

DNAME Record

A Record

DNS Server Software

DNS Utilities