Port 53 - Domain Name Server (DNS)
Globally distributed DNS servers translate domain names into IP addresses and thus control which server a user can reach via a particular domain. There are several types of DNS servers that are used worldwide:
Server Type | Description |
---|---|
DNS Root Server |
Root servers of DNS are responsible for the top-level domains (TLD ). As the last instance, they are only requested if the name server does not respond. The ICANN coordinates the work of the root name servers. There are 13 such root servers around the globe. |
Authoritative Nameserver |
Authoritative name servers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point. |
Non-authoritative Nameserver |
Non-authoritative name servers are not responsible for a particular DNS zone. Instead, they collect information on specific DNS zones themselves, which is done using recursive or iterative DNS querying. |
Caching DNS Server |
Caching DNS servers cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage. |
Forwarding Server |
Forwarding servers perform only one function: they forward DNS queries to another DNS server. |
Resolver |
Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router. |
Resource records
A resource record is a four-tuple that contains the following 4 fields:
A
records: If Type=A, then Name is a hostname and Value is the IP address for that name. We recognize the IP addresses that point to a specific (sub)domain through the A record. Example:
-
MX
records: If Type=MX, then Value is the canonical name of a mail server that has an alias hostname Name. The mail server records show us which mail server is responsible for managing the emails for the company. Example: -
NS
records: If Type=NS, then Name is a domain (such as example.com) and Value is the name of an authoritative DNS server that knows how to obtain the IP address for hosts in the domain. These kinds of records show which name servers are used to resolve the FQDN to IP addresses. Most hosting providers use their own name servers, making it easier to identify the hosting provider. Example: -
CNAME
records: If Type=CNAME, then Value is a canonical hostname for the alias hostname Name. Example: -
TXT
records: this type of record often contains verification keys for different third-party providers and other security aspects of DNS, such as SPF, DMARC, and DKIM, which are responsible for verifying and confirming the origin of the emails sent. Here we can already see some valuable information if we look closer at the results. AAAA
records: Returns an IPv6 address of the requested domain.PTR
record: The PTR (Pointer) record works the other way around (reverse lookup). It converts IP addresses into valid domain names. For the IP address to be resolved from theFully Qualified Domain Name
(FQDN
), the DNS server must have a reverse lookup file. In this file, the computer name (FQDN) is assigned to the last octet of an IP address, which corresponds to the respective host, using aPTR
record. The PTR records are responsible for the reverse translation of IP addresses into names.SOA
records: (Start Of Authority
(SOA
)). It should be first in a zone file because it indicates the start of a zone. Each zone can only have oneSOA
record, and additionally, it contains the zone's values, such as a serial number and multiple expiration timeouts. Provides information about the corresponding DNS zone and email address of the administrative contact. TheSOA
record is located in a domain's zone file and specifies who is responsible for the operation of the domain and how DNS information for the domain is managed.
Summarizing:
Security
DNS is mainly unencrypted. Devices on the local WLAN and Internet providers can therefore hack in and spy on DNS queries. Since this poses a privacy risk, there are now some solutions for DNS encryption. By default, IT security professionals apply DNS over TLS (DoT) or DNS over HTTPS (DoH) here. In addition, the network protocol NSCrypt also encrypts the traffic between the computer and the name server.
IPs to add to etc/resolv.conf
1.1.1.1 is a public DNS resolver operated by Cloudflare that offers a fast and private way to browse the Internet. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available.
DNS transfer zones
DNS server
There are many different configuration types for DNS. All DNS servers work with three different types of configuration files:
- local DNS configuration files
- zone files
- reverse name resolution files
The DNS server Bind9 is very often used on Linux-based distributions. Its local configuration file (named.conf
) is roughly divided into two sections, firstly the options section for general settings and secondly the zone entries for the individual domains. The local configuration files are usually:
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
In the file /etc/bind/named.conf.local
we can define the different zones. A zone file
is a text file that describes a DNS zone with the BIND file format. In other words it is a point of delegation in the DNS tree. The BIND file format is the industry-preferred zone file format and is now well established in DNS server software. A zone file describes a zone completely. There must be precisely one SOA
record and at least one NS
record. The SOA resource record is usually located at the beginning of a zone file. The main goal of these global rules is to improve the readability of zone files. A syntax error usually results in the entire zone file being considered unusable. The name server behaves similarly as if this zone did not exist. It responds to DNS queries with a SERVFAIL
error message.
DNS misconfigurations and vulnerabilities.
Option | Description |
---|---|
allow-query |
Defines which hosts are allowed to send requests to the DNS server. |
allow-recursion |
Defines which hosts are allowed to send recursive requests to the DNS server. |
allow-transfer |
Defines which hosts are allowed to receive zone transfers from the DNS server. |
zone-statistics |
Collects statistical data of zones. |
A list of vulnerabilities targeting the BIND9 server can be found at CVEdetails. In addition, SecurityTrails provides a short list of the most popular attacks on DNS servers.
Footprinting DNS
See nslookup.
# Query `A` records by submitting a domain name: default behaviour
nslookup $TARGET
# We can use the `-query` parameter to search specific resource records
# Querying: A Records for a Subdomain
nslookup -query=A $TARGET
# Querying: PTR Records for an IP Address
nslookup -query=PTR 31.13.92.36
# Querying: ANY Existing Records
nslookup -query=ANY $TARGET
# Querying: TXT Records
nslookup -query=TXT $TARGET
# Querying: MX Records
nslookup -query=MX $TARGET
# Specify a nameserver if needed by adding `@<nameserver/IP>` to the command
See dig.
# Querying: A Records for a Subdomain
dig a www.example @$ip
# here, $ip refers to ip of DNS server
# Get email of administrator of the domain
dig soa www.example.com
# The email will contain a (.) dot notation instead of @
# ENUMERATION
# List nameservers known for that domain
dig ns example.com @$ip
# -ns: other name servers are known in NS record
# `@` character specifies the DNS server we want to query.
# here, $ip refers to ip of DNS server
# View all available records
dig any example.com @$ip
# here, $ip refers to ip of DNS server. The more recent RFC8482 specified that `ANY` DNS requests be abolished. Therefore, we may not receive a response to our `ANY` request from the DNS server.
# Display version. query a DNS server's version using a class CHAOS query and type TXT. However, this entry must exist on the DNS server.
dig CH TXT version.bind $ip
# Querying: PTR Records for an IP Address
dig -x $ip @1.1.1.1
# Querying: TXT Records
dig txt example.com @$ip
# Querying: MX Records
dig mx example.com @1.1.1.1
Transfer a zone (more on dig axfr)
If the administrator used a subnet for the allow-transfer
option for testing purposes or as a workaround solution or set it to any
, everyone would query the entire zone file at the DNS server.
Another tools for transferring zones:
Subdomain brute enumeration
Using Sec wordlist:
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.example.com @$ip | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
Tools for passive enumeration
Tool + Cheat sheet | What it does |
---|---|
Google dorks | Google hacking, also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. |
Sublist3r | Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. |
crt.sh | It collects information about SSL certificates. If you visit a domain and it contains a certificate you can extract other subdomain by using the View Certificate functionality. |
dnscan | Python wordlist-based DNS subdomain scanner. |
DNSRecon | Preinstalled with Linux: dsnrecon is a simple python script that enables to gather DNS-oriented information on a given target. |
dnsdumpster.com | DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process. |
Tools for active enumeration
Tool + Cheat sheet | What it does |
---|---|
dnsenum | multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. |
dig | discover non-contiguous ip blocks. |
fierce | DNS scanner that helps locate non-contiguous IP space and hostnames. |
dnscan | Python wordlist-based DNS subdomain scanner. |
gobuster | For brute force enumerations. |
nslookup | . |
amass | In depth DNS Enumeration and network mapping. |