DNS Lookup

What is a DNS lookup?

A domain has a number of records associated with it, a DNS server can be queried to determine the IP address of the primary domain (A record), mail servers (MX records), DNS servers (NS nameservers) and other items such as SPF records (TXT records).

Different tools provide this functionality, a common one being nslookup which is available on many operating systems including Microsoft Windows and most Linux distributions. Another tool found on Linux based systems is the dig tool. This is generally a more advanced tool that has a number of features that nslookup does not.

DNS Record type ANY

In the past we used the dig command line tool for this DNS lookup tool. We used it to show the response from a query of type any. Over the past couple of years the any query type has been deprecated.

A primary reason for deprecating the any type is that it was often used in DNS amplification attacks (DDOS). The idea of an amplification attack is the attacker sends a small response and gets a large response sent to the target. Often using simple spoofed DNS queries.

The service performs multiple queries against the following record types: A, AAAA, MX, NS, CNAME, TXT, PTR & SOA.

Security implications of DNS queries

By its nature external facing DNS is an open and public service, while the information is openly available you should be aware of what information is being revealed. Security penetration testers and attackers will use information collected from DNS to expand their knowledge of an organizations information technology infrastructure and from that knowledge begin to understand the attack surface.

For example, the SPF records that an organization publishes in order to improve email security can also reveal the IP addresses or hostnames of systems with the ability to send email. These services can all then become targets to be assessed and attacked.

API Access

In addition to the web form on this page there is another way to query the DNS records for a domain. A simple command line query using curl or any other HTTP based tool or software. Output is of content type text.

DNS Lookup - Plain Text Response

If you are a member with an API key simply add '&apikey=xxxx' to the query to use your additional API allowance.

curl https://api.hackertarget.com/dnslookup/?q=google.com

DNS Lookup - JSON Respose

curl "https://api.hackertarget.com/dnslookup/?q=outlook.com&output=json" | jq
{
  "A": [
    "52.96.228.130",
    "52.96.91.34",
    "52.96.111.82",
    "52.96.222.194"
  ],
  "AAAA": [],
  "MX": [
    "5 outlook-com.olc.protection.outlook.com."
  ],
  "NS": [
    "ns4-38.azure-dns.info.",
    "ns2-38.azure-dns.net.",
    "nse12.o365filtering.com.",
    "nse21.o365filtering.com."
  ],
  "TXT": [
    "google-site-verification=DC2uC-T8kD33lINhNzfo0bNBrw-vrCXs5BPF5BXY56g",
    "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 include:spf.protection.outlook.com"
  ],
  "CNAME": [],
  "SOA": [
    "ch0mgt0101dc001.prdmgt01.prod.exchangelabs.com. msnhst.microsoft.com. 2015937680 300 900 2419200 60"
  ]
}

The API is simple to use and aims to be a quick reference tool; like all our IP Tools there is a limit of 50 queries per day for Free users or you can increase the daily quota with a Membership. For those who need to send more packets HackerTarget has Enterprise Plans.