Searching for DNS records and DNS related information is an important part of reconnaissance for a penetration tester. Obtaining information regarding DNS servers and DNS records provides the Pen Tester/Red Team/Attacker with a deeper understanding of the organisations network.
With DNS it is not a 'one tool fits all' situation. You will need to use a variety of tools to gather the information. Hacker Target has a number of DNS related tools that gather different information. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with a GeoIP lookup.
- DNS Lookup
- Does not perform any scan of the Zone file or perform any searching for subdomains. This tool simply performs a DNS lookup using these record types
A, AAAA, MX, NS, CNAME, TXT, PTR & SOAagainst the target domain. The results will only show successful responses to the DNS query type.
DNS Lookup using example.com A : 18.104.22.168 AAAA : 2606:2800:220:1:248:1893:25c8:1946 MX : 0 . NS : a.iana-servers.net. NS : b.iana-servers.net. TXT : "v=spf1 -all" TXT : "8j5nfqld20zpcyr8xjw0ydcfq9rk8hgm" SOA : ns.icann.org. noc.dns.icann.org. 2020111712 7200 3600 1209600 3600
- Find Subdomains / Host Records and Reverse DNS / PTR record
- In order to find host records for a domain (subdomains), we have DNS data sets that are compiled DNS data from various sources on the Internet. These searches are not performed live as the DNS records are stored in our database.
Search for all known hosts of a domain in either the Host Search (A records) or the Reverse DNS search (PTR records). Alternatively use the Reverse DNS tool to perform a live reverse DNS lookup on a range of IP addresses.
DNS Host Search: example.com,22.214.171.124 www.example.com,126.96.36.199
Reverse DNS Search: server1.example.com,188.8.131.52 server1.example.com,184.108.40.206 dns1.example.com,220.127.116.11 dns2.example.com,18.104.22.168 dns1.example.com,22.214.171.124 dns2.example.com,126.96.36.199 dns1.example.com,188.8.131.52 dns2.example.com,184.108.40.206 vps63.example.com,220.127.116.11
- Zone Transfer
- This tool attempts to perform a zone transfer against the DNS servers for a particular domain. This uses the type
AXFRin an attempt to get a copy of the zone. For 99% of servers this will fail as it is a security risk to have zone transfers enabled from the Internet.
Zone transfer results using example.com: ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @a.iana-servers.net example.com ; (2 servers found) ;; global options: +cmd ; Transfer failed. ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @b.iana-servers.net example.com ; (2 servers found) ;; global options: +cmd ; Transfer failed.
- Find Shared NS Servers
- Find hosts sharing the same name server. Can be used to identify all domains within an organisation allowing rapid expansion of the attack surface. In the example below we see the discovery of related domains within the same organisation (different top level domains (tld) and root domains).
Using ns1.example.com example.com example.co.uk examplenetwork.ca
The above information is a summary of what each of the services can do. Check out the individual tool pages for full details, including information on the API, membership quotas, and more detailed information.
Below is a flowchart of the network discovery process. Notice its cyclic behaviour and the areas where these DNS tools will iteratively expand the attack surface.
Overview of the Network Discovery Process