Domain Name System
DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 220.127.116.11) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:
That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:
host -tns random.com
This would give return the dns servers for random.com, allowing you to do something like:
host -l random.com. ns75.worldnic.com
In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:
outlookccc.wideopenwest.com has address 18.104.22.168 mail.outlookccc.wideopenwest.com has address 22.214.171.124 pop-13.wideopenwest.com has address 126.96.36.199 pop-14.wideopenwest.com has address 188.8.131.52 portal.wideopenwest.com has address 184.108.40.206
Mail eXchanger Record
This record prioritizes email delivery for specific domains over multiple protocols.
BIND Syntax Example:
domain.tld. 300 IN MX 1 aspmx.l.google.com. domain.tld. 300 IN MX 5 alt1.aspmx.l.google.com. domain.tld. 300 IN MX 5 alt2.aspmx.l.google.com. domain.tld. 300 IN MX 10 aspmx2.googlemail.com. domain.tld. 300 IN MX 10 aspmx3.googlemail.com.
- The first domain.tld. represents the mailserver hostname.
- The second hostname at the end of each line represents the domain name to deliver mail for
The 1,5,5,10,10 numbers are the priority of the mailservers for that specific domain. The lower the number, the higher the priority.