DNS protocol
The Domain Name System (DNS) protocol is used to convert a domain name such as example.com
to an IP address 93.184.216.34
. A domain name is for humans, while IP address are for machines π.
ποΈ Port: 53 (TCP/UDP)
π The DNS protocol is not secure. See DNS Secure (DNSSEC). See also: DNS over TLS (DoT) or DNS over HTTPS (DoH) or DNSCrypt.
DNS server servers are storing data called DNS records. When updated by the domain owner, it's propagated to DNS servers after some time (12 hours, 24 hours, 48 hours, sometimes more).
There are multiple type of records for a domain, not just IP addresses:
- A π : the IPV4 address of the domain
- AAAA π‘: the IPV6 address of the domain
- CNAME β‘οΈ: a domain may point to another
- MX βοΈ: a domain may have a mail server
- TXT βοΈ: used to store information, mostly used to verify ownership by third-party websites...
- See also Wikipedia Reference
DNS resolution process π
DNS nameservers have a tree-like hierarchy starting from the root.
DNS root π±: the domain ".
" (dot). Keep track of TLDs.
Top level domains (TLDs) πͺ΅: historically, they where associated with a purpose or a geographical location, but now, there is no restriction.
- Generic TLD (gTLD):
.com
,.net
... - Country Code TLD (ccTLD):
.fr
,.ca
... - Restricted TLD (rTLD):
.gov
... - Experimental TLD (eTLD/xTLD):
.test
...
Each TLD nameserver keep track of its authoritative nameservers.
Authoritative nameservers πΏ: they keep track of second-level domains, such as example.com
, and may keep track of third-level domains (such as www), or more generically, every subdomain.
RFC 1034 approach
The iterative approach mandated by the RFC 1034 is
- A
client
asks for the IP of a domain to theroot nameserver
- The
root nameserver
replies with theTLD nameserver
's IP - The
client
asks again, but theTLD nameserver
this time - The
TLD nameserver
replies with theauthoritative nameserver
's IP - The
client
asks again, but theauthoritative nameserver
this time - The
authoritative nameserver
answer with the IP β
In practice, to reduce traffic, and to reduce the load on root servers, DNS records are cached at multiple levels.
Caching
Each DNS query has a Time-to-live (TTL) (in seconds). Both the client, and DNS servers will store records until the TTL expires.
A client will usually ask recursive servers π¦ such as the one maintained by their ISP provider. They will look for the IP of the domain requested, using both caching and the RFC 1034 approach.
Fully Qualified Domain Name π―
A Fully Qualified Domain Name (FQDN) is a name with both a hostname (subdomain, server...) and a domain name to unambiguous identify a specific domain π―.
Given the FQDN www.example.com
, www
is the hostname, while example.com
is the domain name.
π All subdomains are written as FQDN.
π Any domain ending with .
(DNS root) is written as a FQDN. For instance, example.com
is NOT a FQDN, while example.com.
is.
DNS Zones & Zone Transfer
DNS mainly use UDP for DNS queries, while it mainly use TCP for zone transfers or large responses. With IPV6/DNSSEC, TCP seems to be more and more used for queries too.
A DNS zone represents a portion of the domain records that the DNS server manages. DNS records are stored in zone files (BIND format).
- Primary zones πΉ: authoritative source for the DNS information
- Secondary zones πΏ: read-only copies of the DNS records
The primary DNS servers are transferring changes to secondary DNS servers using what we call "Zone Transferts." There are two types of zone transfers: AXFR
and IXFR
.
β οΈ On Misconfigured DNS servers (no authentication/no list of trusted hosts/no RNDC Key), we may be able to query the whole zone file.
You can try it online or with zonetransfer.me. We usually find a lot of domains during enumeration. We may then try AXFR on each.
# select the domain that you want to "fetch"
# from the primary dns server
$ dig axfr some_domain.com @primary_dns_server
# return a list, we may then try axfr in each return item
# it it doesn't work, we can try brute forcing
I encountered one scenario in which the subdomain wasn't returning any records, which fooled every tool, while it was vulnerable to AXFR.
You can use onectf for AXFR brute forcing given a list of subdomains.
$ onectf axfr -D example.com -r IP -w wordlist.txt -t 64
DNS commands
dig
: ip/domain lookup
You can give a domain name, or an IP (-x
). The request type ANY
is deprecated since RFC8482 β οΈ.
$ dig example.com
$ dig A example.com # IPV4 records
$ dig example.com -t A # same
$ dig example.com -t ANY # every record
$ dig -x 8.8.8.8
$ dig [...] -p port
You can pick which DNS server should be used with @
- Cloudflare DNS servers:
1.1.1.1
- Google DNS servers:
8.8.8.8
OR8.8.4.4
- ...
$ dig example.com @8.8.8.8
Some examples of dig
command output:
$ dig example.com -t A
;; ANSWER SECTION:
example.com. 0 IN A 93.184.216.34
$ dig example.com -t AAAA
;; ANSWER SECTION:
example.com. 0 IN AAAA 2606:2800:220:1:248:1893:25c8:1946
You can also add options: +stats +trace +nodnssec
.
host
: domain lookup
The host
command is very similar to dig
.
$ host -t ANY example.com
example.com has address <IPV4>
example.com has XXX record [...]
example.com has IPv6 address <IPV6>
example.com name server a.iana-servers.net.
$ host -v -t ANY example.com
# similar output as dig
nslookup
: ip/domain lookup
This tool is quite similar to dig.
# A = IPV4, AAAA=IPV6, MX, TXT, CNAME...
$ nslookup -type=A example.com
# ask 1.1.1.1 DNS server
$ nslookup -type=A example.com 1.1.1.1
whois
: domain registrar data
You can also use their website or domaintools. Whois is a protocol using port 43. Use sysinternals whois on Windows.
$ whois example.com
$ whois 8.8.8.8
Linux DNS Configuration
On Linux, the operating system will first try to resolve a domain using /etc/hosts
before testing an external DNS server.
SOME_IP example.com
SOME_IP admin.example.com test.example.com
You can add an entry using:
$ sudo sh -c 'echo "SOME_IP my.example.com" >> /etc/hosts'
The file /etc/resolv.conf
is used to determine which nameserver is used to resolve domains, along other settings.
You can also use onectf to easily manage entries:
$ sudo onectf hosts IPA example.com aaa.example.com
IPA example.com aaa.example.com
$ sudo onectf hosts IPB example.com
IPA aaa.example.com
IPB example.com
DNS Pentester Notes β οΈ
Enumeration
Refer to DNS investigation to find targets.
Refer to Subdomains/vhosts to look for hidden subdomains.
You can use onectf axfr as introduced in the AXFR section to find hidden subdomains accepting zone transfer.
- fierce (1.6k β) can be used for AXFR and other attacks.
$ fierce --domain zonetransfer.me
$ fierce --domain xxx.yyy --dns-servers IP
# error for internal domain using AXFR
Exploitation
-
Domain Takeover: an existing record points to a deleted domain. If the hackers can purchase it, then may perform social engineering attacks (or more advanced attacks). can-i-take-over-xyz (4.4k β)
-
DNS Rebinding: refer to SSRF Mitigations for notes.
Well-Known Attacks
- Open DNS resolvers (DNS allowing everyone to poll data)
π An attacker can use them to amplify DDoS attacks. π₯ DDoS β‘οΈ Configure DNS to not respond to everyone, use rate-limiting.
- Stealthy DNS attacks
π An attacker attempt to secretly alter a DNS records (ex: redirect to a malicious site) β‘οΈ See DNSSEC.
- DNS cloaking attacks
π An attacker create malicious subdomains to a compromised domain β‘οΈ Monitor unauthorized DNS changes, DNS pinning...
- DNS Cache poisoning/DNS Spoofing
π An attacker tries to send a reply to a DNS query before the DNS nameservers. The hacker much match the correct timing (caching...) and the correct query ID, which is relatively complicated. π₯ See the Kaminsky Cache poisoning attack (2008).
- DNS tunneling attacks
π Use the DNS protocol to send malicious payload in DNS query to bypass firewalls/... β‘οΈ DNS firewalls...
π» To-do π»
Stuff that I found, but never read/used yet.
- DNSSEC (HTB/27180)
- Multiple domains can point to the same IP address
- Caching DNS Server
- Forwarding/Relay Server
- 3 configs (local DNS, reverse DNS, zone file)
c:\windows\system32\drivers\etc\hosts
- dnsspoof
- Record Classes (Internet, Hesiod, Chaos)
dig CH TXT version.bind IP
: CHAOS query- Bind9
$ dig axfr domain @IP > /tmp/list.dig
$ cat /tmp/list.dig | column -t | cut -d ' ' -f1 | grep '\.' | sed 's/\.$//' > /tmp/list.dig.clean
$ cat /tmp/list.dig.clean | while read x ; do dig ANY $x ; done > /tmp/domains.dig
$ grep -v '^;' /tmp/domains.dig | grep -v '^$' > /tmp/domains.dig.clean