DNS protocol ¶

The Domain Name System (DNS) protocol is used to convert a domain name such as example.com to an IP address 93.184.216.34. A domain name is for humans, while IP address are for machines 🏭.

🐊️ Port: 53 (TCP/UDP)

🔒 The DNS protocol is not secure. See DNS Secure (DNSSEC). See also: DNS over TLS (DoT) or DNS over HTTPS (DoH) or DNSCrypt.

DNS server servers are storing data called DNS records. When updated by the domain owner, it's propagated to DNS servers after some time (12 hours, 24 hours, 48 hours, sometimes more).

There are multiple type of records for a domain, not just IP addresses:

• A 🏠: the IPV4 address of the domain
• AAAA 🏡: the IPV6 address of the domain
• CNAME ➡️: a domain may point to another
• MX ✉️: a domain may have a mail server
• TXT ✍️: used to store information, mostly used to verify ownership by third-party websites...
• See also Wikipedia Reference

DNS nameservers have a tree-like hierarchy starting from the root.

DNS root 🌱: the domain "." (dot). Keep track of TLDs.

Top level domains (TLDs) 🪵: historically, they where associated with a purpose or a geographical location, but now, there is no restriction.

• Generic TLD (gTLD): .com, .net...
• Country Code TLD (ccTLD): .fr, .ca...
• Restricted TLD (rTLD): .gov...
• Experimental TLD (eTLD/xTLD): .test...

Each TLD nameserver keep track of its authoritative nameservers.

Authoritative nameservers 🌿: they keep track of second-level domains, such as example.com, and may keep track of third-level domains (such as www), or more generically, every subdomain.

RFC 1034 approach ¶

The iterative approach mandated by the RFC 1034 is

• A client asks for the IP of a domain to the root nameserver
• The root nameserver replies with the TLD nameserver's IP
• The client asks again, but the TLD nameserver this time
• The TLD nameserver replies with the authoritative nameserver's IP
• The client asks again, but the authoritative nameserver this time
• The authoritative nameserver answer with the IP ✅

In practice, to reduce traffic, and to reduce the load on root servers, DNS records are cached at multiple levels.

Caching ¶

Each DNS query has a Time-to-live (TTL) (in seconds). Both the client, and DNS servers will store records until the TTL expires.

A client will usually ask recursive servers 🦀 such as the one maintained by their ISP provider. They will look for the IP of the domain requested, using both caching and the RFC 1034 approach.

A Fully Qualified Domain Name (FQDN) is a name with both a hostname (subdomain, server...) and a domain name to unambiguous identify a specific domain 🎯.

Given the FQDN www.example.com, www is the hostname, while example.com is the domain name.

👉 All subdomains are written as FQDN.

👉 Any domain ending with . (DNS root) is written as a FQDN. For instance, example.com is NOT a FQDN, while example.com. is.

DNS mainly use UDP for DNS queries, while it mainly use TCP for zone transfers or large responses. With IPV6/DNSSEC, TCP seems to be more and more used for queries too.

A DNS zone represents a portion of the domain records that the DNS server manages. DNS records are stored in zone files (BIND format).

• Primary zones 🌹: authoritative source for the DNS information
• Secondary zones 🌿: read-only copies of the DNS records

The primary DNS servers are transferring changes to secondary DNS servers using what we call "Zone Transferts." There are two types of zone transfers: AXFR and IXFR.

⚠️ On Misconfigured DNS servers (no authentication/no list of trusted hosts/no RNDC Key), we may be able to query the whole zone file.

You can try it online or with zonetransfer.me. We usually find a lot of domains during enumeration. We may then try AXFR on each.

# select the domain that you want to "fetch"
# from the primary dns server
$ dig axfr some_domain.com @primary_dns_server
# return a list, we may then try axfr in each return item
# it it doesn't work, we can try brute forcing

I encountered one scenario in which the subdomain wasn't returning any records, which fooled every tool, while it was vulnerable to AXFR.

You can use onectf for AXFR brute forcing given a list of subdomains.

$ onectf axfr -D example.com -r IP -w wordlist.txt -t 64

dig: ip/domain lookup ¶

You can give a domain name, or an IP (-x). The request type ANY is deprecated since RFC8482 ⚠️.

$ dig example.com
$ dig A example.com       # IPV4 records
$ dig example.com -t A    # same
$ dig example.com -t ANY  # every record
$ dig -x 8.8.8.8
$ dig [...] -p port

You can pick which DNS server should be used with @

• Cloudflare DNS servers: 1.1.1.1
• Google DNS servers: 8.8.8.8 OR 8.8.4.4
• ...

$ dig example.com @8.8.8.8

Some examples of dig command output:

$ dig example.com -t A
;; ANSWER SECTION:
example.com.    0  IN     A  93.184.216.34
$ dig example.com -t AAAA
;; ANSWER SECTION:
example.com.    0  IN  AAAA 2606:2800:220:1:248:1893:25c8:1946

You can also add options: +stats +trace +nodnssec.

host: domain lookup ¶

The host command is very similar to dig.

$ host -t ANY example.com
example.com has address <IPV4>
example.com has XXX record [...]
example.com has IPv6 address <IPV6>
example.com name server a.iana-servers.net.
$ host -v -t ANY example.com
# similar output as dig

nslookup: ip/domain lookup ¶

This tool is quite similar to dig.

# A = IPV4, AAAA=IPV6, MX, TXT, CNAME...
$ nslookup -type=A example.com
# ask 1.1.1.1 DNS server
$ nslookup -type=A example.com 1.1.1.1

whois: domain registrar data ¶

You can also use their website or domaintools. Whois is a protocol using port 43. Use sysinternals whois on Windows.

$ whois example.com
$ whois 8.8.8.8

➡️ You can also query the ICANN or who.is.

On Linux, the operating system will first try to resolve a domain using /etc/hosts before testing an external DNS server.

SOME_IP example.com
SOME_IP admin.example.com test.example.com

You can add an entry using:

$ sudo sh -c 'echo "SOME_IP my.example.com" >> /etc/hosts'

The file /etc/resolv.conf is used to determine which nameserver is used to resolve domains, along other settings.

You can also use onectf to easily manage entries:

$ sudo onectf hosts IPA example.com aaa.example.com
IPA example.com aaa.example.com
$ sudo onectf hosts IPB example.com
IPA aaa.example.com
IPB example.com

Enumeration ¶

Refer to DNS investigation to find targets.

Refer to Subdomains/vhosts to look for hidden subdomains.

You can use onectf axfr as introduced in the AXFR section to find hidden subdomains accepting zone transfer.

• fierce (1.6k ⭐) can be used for AXFR and other attacks.

$ fierce --domain zonetransfer.me
$ fierce --domain xxx.yyy --dns-servers IP
# error for internal domain using AXFR

Exploitation ¶

• Domain Takeover: an existing record points to a deleted domain. If the hackers can purchase it, then may perform social engineering attacks (or more advanced attacks). can-i-take-over-xyz (4.4k ⭐)

• DNS Rebinding: refer to SSRF Mitigations for notes.

Well-Known Attacks ¶

• Open DNS resolvers (DNS allowing everyone to poll data)

👉 An attacker can use them to amplify DDoS attacks. 💥 DDoS ➡️ Configure DNS to not respond to everyone, use rate-limiting.

• Stealthy DNS attacks

👉 An attacker attempt to secretly alter a DNS records (ex: redirect to a malicious site) ➡️ See DNSSEC.

• DNS cloaking attacks

👉 An attacker create malicious subdomains to a compromised domain ➡️ Monitor unauthorized DNS changes, DNS pinning...

• DNS Cache poisoning/DNS Spoofing

👉 An attacker tries to send a reply to a DNS query before the DNS nameservers. The hacker much match the correct timing (caching...) and the correct query ID, which is relatively complicated. 💥 See the Kaminsky Cache poisoning attack (2008).

• DNS tunneling attacks

👉 Use the DNS protocol to send malicious payload in DNS query to bypass firewalls/... ➡️ DNS firewalls...

• DNSSEC (HTB/27180)
• Multiple domains can point to the same IP address
• Caching DNS Server
• Forwarding/Relay Server
• 3 configs (local DNS, reverse DNS, zone file)
• c:\windows\system32\drivers\etc\hosts
• dnsspoof

• Record Classes (Internet, Hesiod, Chaos)
• dig CH TXT version.bind IP: CHAOS query
• Bind9

$ dig axfr domain @IP > /tmp/list.dig
$ cat /tmp/list.dig | column -t | cut -d ' ' -f1 | grep '\.' | sed 's/\.$//' > /tmp/list.dig.clean
$ cat /tmp/list.dig.clean | while read x ; do dig ANY $x ; done > /tmp/domains.dig
$ grep -v '^;' /tmp/domains.dig | grep -v '^$' > /tmp/domains.dig.clean