Searching for DNS records and DNS related information is an important part of reconnaissance for a penetration tester. Obtaining information on DNS servers and DNS records provides the Pen Tester/Red Team/Attacker with a deeper understanding of the organisations network.
With DNS, it is not a 'one tool fits all' situation. You will need to use a variety of tools to gather the information. Hacker Target has a number of DNS related tools that gather different information. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with a GeoIP lookup.
- DNS Lookup
- The DNS Lookup tool does not perform any scan of the Zone file or perform any searching for subdomains. This tool simply performs a DNS lookup using these record types
A, AAAA, MX, NS, CNAME, TXT, PTR & SOAagainst the target domain. The results will only show successful responses to the DNS query type.
DNS Lookup using example.com A : 220.127.116.11 AAAA : 2606:2800:220:1:248:1893:25c8:1946 MX : 0 . NS : a.iana-servers.net. NS : b.iana-servers.net. TXT : "v=spf1 -all" TXT : "8j5nfqld20zpcyr8xjw0ydcfq9rk8hgm" SOA : ns.icann.org. noc.dns.icann.org. 2020111712 7200 3600 1209600 3600
- Find Subdomains / Host Records and Reverse DNS / PTR record
In order to find host records for a domain (subdomains), we have DNS data sets that are compiled DNS data from various sources on the Internet. These searches are not performed live, as the DNS records are stored in our database.
Search for all known hosts of a domain in either the Host Search (A records) or the Reverse DNS search (PTR records). Alternatively, use the Reverse DNS Lookup tool to perform a live reverse DNS lookup on a range of IP addresses.
DNS Host Search: example.com,18.104.22.168 www.example.com,22.214.171.124
Reverse DNS Search: server1.example.com,126.96.36.199 server1.example.com,188.8.131.52 dns1.example.com,184.108.40.206 dns2.example.com,220.127.116.11 dns1.example.com,18.104.22.168 dns2.example.com,22.214.171.124 dns1.example.com,126.96.36.199 dns2.example.com,188.8.131.52 vps63.example.com,184.108.40.206
- Zone Transfer
- The Zone Transfer tool attempts to perform a zone transfer against the DNS servers for a particular domain. This uses the type
AXFRin an attempt to get a copy of the zone. For 99% of servers this will fail as it is a security risk to have zone transfers enabled from the Internet.
Zone transfer results using example.com: ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @a.iana-servers.net example.com ; (2 servers found) ;; global options: +cmd ; Transfer failed. ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @b.iana-servers.net example.com ; (2 servers found) ;; global options: +cmd ; Transfer failed.
- Find Shared NS Servers
- Find hosts sharing the same name servers. Can be used to identify all domains within an organisation allowing rapid expansion of the attack surface. In the example below, we see the discovery of related domains within the same organisation (different top level domains (tld) and root domains).
Using ns1.example.com example.com example.co.uk examplenetwork.ca
The above information is a summary of what each of the services can do. Check out the individual tool pages for full details, including information on the API, membership quotas, and more detailed information.
Below is a flowchart of the network discovery process. Notice its cyclic behaviour and the areas where these DNS tools will iteratively expand the attack surface.
Overview of the Network Discovery Process