Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "DNS"

From NetSec
Jump to: navigation, search
(Lesson)
(Added priority to MX)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{cleanup}}
 
{{cleanup}}
<b>D</b>ymic <b>N</b>ame <b>S</b>ystem or <b>D</b>omain <b>N</b>ame <b>S</b>ystem
+
<b>D</b>omain <b>N</b>ame <b>S</b>ystem
  
 
DNS resolves hostnames to IP addresses and vice versa.  DNS records also control the appointment of servers to control e-mail.   
 
DNS resolves hostnames to IP addresses and vice versa.  DNS records also control the appointment of servers to control e-mail.   
  
==DNS Basics==
+
=DNS Basics=
  
 
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
 
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
  
=== DNS Recon ===
+
== DNS Recon ==
  
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in DNS recon is to type:  
+
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:
  
 
{{code|text=
 
{{code|text=
host random.com.
+
host random.com
 
}}
 
}}
  
That will give you basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will give you everything from txt records to dnssec records.
+
That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.
  
 
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:
 
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:
 +
 +
{{code|text=
 
host -tns random.com
 
host -tns random.com
That will give you the dns servers for random.com, then you'll want to do something like: host -l random.com. ns75.worldnic.com. In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:
+
}}
 +
 
 +
This would give return the dns servers for random.com, allowing you to do something like:  
 +
 
 +
{{code|text=
 +
host -l random.com. ns75.worldnic.com
 +
}}
 +
 
 +
In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:
 +
 
 +
{{code|text=
 
outlookccc.wideopenwest.com has address 64.233.207.77
 
outlookccc.wideopenwest.com has address 64.233.207.77
 
mail.outlookccc.wideopenwest.com has address 12.152.37.50
 
mail.outlookccc.wideopenwest.com has address 12.152.37.50
Line 26: Line 38:
 
pop-14.wideopenwest.com has address 64.233.207.60
 
pop-14.wideopenwest.com has address 64.233.207.60
 
portal.wideopenwest.com has address 64.233.207.39
 
portal.wideopenwest.com has address 64.233.207.39
 +
}}
  
The one last resource as far as dns goes that I find extremely useful is yougetsignal.com. http://www.yougetsignal.com/tools/web-sites-on-web-server/, that tool specifically. Essentially, you enter a domain or an IP and it will return a list of domain names that point to the ip.
+
= Records =
  
See [[protocols]] for more information.
+
== MX Record ==
  
== DNS Server Software ==
+
<b>M</b>ail e<b>X</b>changer Record
 +
 
 +
This record prioritizes email delivery for specific domains over multiple protocols.
 +
 
 +
 
 +
[[BIND]] Syntax Example:
 +
 
 +
  domain.tld.    300    IN    MX    1    aspmx.l.google.com.
 +
  domain.tld.    300    IN    MX    5    alt1.aspmx.l.google.com.
 +
  domain.tld.    300    IN    MX    5    alt2.aspmx.l.google.com.
 +
  domain.tld.    300    IN    MX    10  aspmx2.googlemail.com.
 +
  domain.tld.    300    IN    MX    10  aspmx3.googlemail.com.
 +
 
 +
*The first domain.tld. represents the mailserver hostname.
 +
*The second hostname at the end of each line represents the domain name to deliver mail for
 +
 
 +
The 1,5,5,10,10 numbers are the priority of the mailservers for that specific domain.  The lower the number, the higher the priority.
 +
 
 +
==CNAME Record==
 +
 
 +
==DNAME Record==
 +
 
 +
==A Record==
 +
 
 +
=DNS Server Software=
  
 
* [http://www.isc.org/software/bind Bind]
 
* [http://www.isc.org/software/bind Bind]
Line 38: Line 75:
 
* [http://cr.yp.to/djbdns.html djbdns]
 
* [http://cr.yp.to/djbdns.html djbdns]
 
* [http://www.corpit.ru/mjt/rbldnsd.html rbldnsd]
 
* [http://www.corpit.ru/mjt/rbldnsd.html rbldnsd]
 +
 +
= DNS Utilities =
 +
 +
* [http://www.yougetsignal.com/ YouGetSignal]
 +
 +
* [[dig]]
  
 
[[Category:Protocols]]
 
[[Category:Protocols]]

Latest revision as of 07:06, 12 August 2012

Domain Name System

DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.

DNS Basics

The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.

DNS Recon

In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:

host random.com

That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.

Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:

host -tns random.com

This would give return the dns servers for random.com, allowing you to do something like:

host -l random.com. ns75.worldnic.com

In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:

outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39

Records

MX Record

Mail eXchanger Record

This record prioritizes email delivery for specific domains over multiple protocols.


BIND Syntax Example:

 domain.tld.    300    IN    MX    1    aspmx.l.google.com.
 domain.tld.    300    IN    MX    5    alt1.aspmx.l.google.com.
 domain.tld.    300    IN    MX    5    alt2.aspmx.l.google.com.
 domain.tld.    300    IN    MX    10   aspmx2.googlemail.com.
 domain.tld.    300    IN    MX    10   aspmx3.googlemail.com.
  • The first domain.tld. represents the mailserver hostname.
  • The second hostname at the end of each line represents the domain name to deliver mail for

The 1,5,5,10,10 numbers are the priority of the mailservers for that specific domain. The lower the number, the higher the priority.

CNAME Record

DNAME Record

A Record

DNS Server Software

DNS Utilities