Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "DNS"

From NetSec
Jump to: navigation, search
(Lesson)
Line 4: Line 4:
 
DNS resolves hostnames to IP addresses and vice versa.  DNS records also control the appointment of servers to control e-mail.   
 
DNS resolves hostnames to IP addresses and vice versa.  DNS records also control the appointment of servers to control e-mail.   
  
==Lesson==
+
==DNS Basics==
The DNS system contains a tonne of information that you can very easily retrieve.
+
  
Now lets say there is a website you want to learn more about, lets say random.com. The first thing you'll probably do is just type: host random.com. That will give you basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will give you everything from txt records to dnssec records.
+
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
 +
 
 +
=== DNS Recon ===
 +
 
 +
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in DNS recon is to type:  
 +
 
 +
{{code|text=
 +
host random.com.  
 +
}}
 +
 
 +
That will give you basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will give you everything from txt records to dnssec records.
  
 
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:
 
Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:

Revision as of 16:03, 4 January 2012

Dymic Name System or Domain Name System

DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.

DNS Basics

The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.

DNS Recon

In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in DNS recon is to type:

host random.com.

That will give you basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will give you everything from txt records to dnssec records.

Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this: host -tns random.com That will give you the dns servers for random.com, then you'll want to do something like: host -l random.com. ns75.worldnic.com. In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer: outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39

The one last resource as far as dns goes that I find extremely useful is yougetsignal.com. http://www.yougetsignal.com/tools/web-sites-on-web-server/, that tool specifically. Essentially, you enter a domain or an IP and it will return a list of domain names that point to the ip.

See protocols for more information.

DNS Server Software