Difference between revisions of "DNS"
(→Lesson) |
|||
| Line 4: | Line 4: | ||
DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail. | DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail. | ||
| − | == | + | ==DNS Basics== |
| − | + | ||
| − | + | The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon. | |
| + | |||
| + | === DNS Recon === | ||
| + | |||
| + | In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in DNS recon is to type: | ||
| + | |||
| + | {{code|text= | ||
| + | host random.com. | ||
| + | }} | ||
| + | |||
| + | That will give you basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will give you everything from txt records to dnssec records. | ||
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this: | Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this: | ||
Revision as of 16:03, 4 January 2012
Dymic Name System or Domain Name System
DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.
DNS Basics
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
DNS Recon
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in DNS recon is to type:
|
host random.com. |
That will give you basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will give you everything from txt records to dnssec records.
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this: host -tns random.com That will give you the dns servers for random.com, then you'll want to do something like: host -l random.com. ns75.worldnic.com. In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer: outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39
The one last resource as far as dns goes that I find extremely useful is yougetsignal.com. http://www.yougetsignal.com/tools/web-sites-on-web-server/, that tool specifically. Essentially, you enter a domain or an IP and it will return a list of domain names that point to the ip.
See protocols for more information.
