Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "DNS"

From NetSec
Jump to: navigation, search
(DNS Recon)
Line 4: Line 4:
 
DNS resolves hostnames to IP addresses and vice versa.  DNS records also control the appointment of servers to control e-mail.   
 
DNS resolves hostnames to IP addresses and vice versa.  DNS records also control the appointment of servers to control e-mail.   
  
==DNS Basics==
+
=DNS Basics=
  
 
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
 
The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.
  
=== DNS Recon ===
+
== DNS Recon ==
  
 
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:
 
In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:
Line 40: Line 40:
 
}}
 
}}
  
There are many useful free DNS utilities on the internet. One that in particular is endorsed by us is [http://www.yougetsignal.com/ YouGetSignal].
+
= Records =
  
See [[protocols]] for more information.
+
== MX Record ==
  
== DNS Server Software ==
+
<b>M</b>ail e<b>X</b>changer Record
 +
 
 +
This record prioritizes email delivery for specific domains over multiple protocols.
 +
 
 +
 
 +
SYNTAX:
 +
  domain.tld. TTL IN MX domain.tld
 +
 
 +
*The first domain.tld. represents the mailserver hostname.
 +
*The second domain.tld represents the domain name to deliver mail for
 +
*This can only be added to the record containing the primary A record to be effective.
 +
 
 +
==CNAME records==
 +
 
 +
==DNAME records==
 +
 
 +
==A records==
 +
 
 +
 
 +
 
 +
=DNS Server Software=
  
 
* [http://www.isc.org/software/bind Bind]
 
* [http://www.isc.org/software/bind Bind]
Line 51: Line 71:
 
* [http://cr.yp.to/djbdns.html djbdns]
 
* [http://cr.yp.to/djbdns.html djbdns]
 
* [http://www.corpit.ru/mjt/rbldnsd.html rbldnsd]
 
* [http://www.corpit.ru/mjt/rbldnsd.html rbldnsd]
 +
 +
= DNS Utilities =
 +
 +
* [http://www.yougetsignal.com/ YouGetSignal]
 +
 +
* [[dig]]
  
 
[[Category:Protocols]]
 
[[Category:Protocols]]

Revision as of 17:59, 24 April 2012

Dymic Name System or Domain Name System

DNS resolves hostnames to IP addresses and vice versa. DNS records also control the appointment of servers to control e-mail.

DNS Basics

The DNS system is used to resolve domain names (such as www.blackhatacademy.org) into 4-byte addresses (such as 173.245.60.117) known as IP addresses or (more rarely) DNS addresses. It can be used to obtain a wealth of information concerning a website, all of which can be useful for troubleshooting, penetration testing and recon.

DNS Recon

In this example, random.com is given as a site that the hacker wishes to learn more about. The first step in a hacker's DNS recon might be to type:

host random.com

That will return basic information on the site, ip addresses (a records, aaaa for v6) and mail servers (mx records). For a little bit more information, use the -a flag, it will return everything from txt records to dnssec records.

Taking it a bit further, you can really start to pull a lot of information from DNS given the right circumstances. For example, if a domain name server has axfr's (zone transfers) enabled for everyone, you can get a list of subdomains for any domain name on that server. The easiest way to do this would be something like this:

host -tns random.com

This would give return the dns servers for random.com, allowing you to do something like:

host -l random.com. ns75.worldnic.com

In order to perform a successful zone transfer, you usually want to directly specify the name server. Here is an example of a successful zone transfer:

outlookccc.wideopenwest.com has address 64.233.207.77 mail.outlookccc.wideopenwest.com has address 12.152.37.50 pop-13.wideopenwest.com has address 64.233.207.59 pop-14.wideopenwest.com has address 64.233.207.60 portal.wideopenwest.com has address 64.233.207.39

Records

MX Record

Mail eXchanger Record

This record prioritizes email delivery for specific domains over multiple protocols.


SYNTAX:

 domain.tld. TTL IN MX domain.tld
  • The first domain.tld. represents the mailserver hostname.
  • The second domain.tld represents the domain name to deliver mail for
  • This can only be added to the record containing the primary A record to be effective.

CNAME records

DNAME records

A records

DNS Server Software

DNS Utilities