DNS
Domain Name System
DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.
Contents
DNS Basics
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
DNS Recon
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:
|
host random.com |
That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:
|
host -tns random.com |
This would give return the dns servers for random.com, allowing you to do something like:
|
host -l random.com. ns75.worldnic.com |
In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:
|
outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39 |
Records
MX Record
Mail eXchanger Record
This record prioritizes email delivery for specific domains over multiple protocols.
BIND Syntax Example:
domain.tld. 300 IN MX 1 aspmx.l.google.com. domain.tld. 300 IN MX 5 alt1.aspmx.l.google.com. domain.tld. 300 IN MX 5 alt2.aspmx.l.google.com. domain.tld. 300 IN MX 10 aspmx2.googlemail.com. domain.tld. 300 IN MX 10 aspmx3.googlemail.com.
- The first domain.tld. represents the mailserver hostname.
- The second hostname at the end of each line represents the domain name to deliver mail for
The 1,5,5,10,10 numbers are the priority of the mailservers for that specific domain. The lower the number, the higher the priority.
