Learn about abusing DNSLearn about passive intelligence gathering, one of the key aspects of ethical hacking. This covers⇒ Passive Intelligence Gathering⇒ Abusing SNMP and DNS⇒ And moreDNS is a naming system for computers that converts human readable domain names e.g. (infosecinstitute.com) into computer readable IP-addresses. However some security vulnerabilities exist due to misconfigured DNS nameservers that can lead to information disclosure about the domain. This forms an important step of the Information Gathering stage during a Penetration test or Vulnerability assessment. In this article we will look at the following areas. DNS Basics.
Resource records and the Zone file. DNS Lookup and Reverse DNS Lookup. Understanding Wildcard Entries. DNS Zone transfer. DNS Bruteforcing1) DNS BasicsDNS converts human readable domain names into IP-addresses. This is because domain names are much easier to remember than IP-addresses.
This process may take place through a local cache or through a zone file that is present on the server. A zone file is a file on the server that contains entries for different Resource Records (RR). These records can provide us a bunch of information about the domain. We will look more into Resource Records and the zone file in the next section.So Let’s understand how DNS resolution works. Let’s say the user opens up the browser and types in infosecinstitute.com. It is now the responsibility of the DNS resolver in the user’s operating system to fetch the. It first checks it’s local cache to see if it can find a record for the queried domain name.
A cache usually contains a mapping of IP-addresses to hostnames which are saved during recent lookups so that the resolver does not have to fetch the IP address again and again. If it can’t find the IP address in it’s cache it queries the DNS server to see if it has a record for it.
Udp Port Number
A DNS server is usually given to you by the ISP or you can manually set up a DNS server for yourself.If it still can’t find the IP Address then it goes through a process or recursive DNS query in which it queries different nameservers to get the IP-address of the domain. As soon as it finds the IP-address it returns the IP-address back to the user and also caches it for it’s future use.Let’s do a quick demo. We are going to use the “nslookup” utility for this demo. Just type in the commands as shown in the figure below.a) In the second line we set the type = a.
Tcp Udp Ports
This means that we are querying for the A records which will return us an IP-address in return for the domain we query. We will look more into records in the next section.b) As soon as we type in google.com we get an output showing the server and an IP-address#port. This server is basically the current DNS server that will be serving our request.
In this case it is 10.0.1.1 and the port no is 53. This is because DNS uses UDP port 53 to serve its requests. We can also set the current DNS server by using the command “server Ip-address”c) The third line in the output shows “Non-authoritative answer”. This basically means that our DNS server queried an external DNS server to fetch the IP-address. Below we can see all the IP-addresses associated with google.com. This is usually the case with large organizations. They use multiple servers to serve the request as one server is generally not capable of handling all the requests.QUICK EXERCISE- Set the current server to ns1.google.com by using the command “server ns1.google.com”, and see if you still get “Non-Authoritative answer” in the output for a query for the domain google.com.
Also explore the tool Dig and see if you can do the above exercise using Dig.2) Resource Records and the Zone fileA Zone file is basically a text file present on the server hosting the domain that contains entries for different resource records. Each line is represented by a different record.In some cases these records may exceed one line and hence must be enclosed within a parantheses. Each zone file must start with a Start of Authority (SOA) record containing an authoritative nameserver for the domain (for e.g. Ns1.google.com for google.com ) and an email address of someone responsible for the management of the nameserver. An example of a zone file is given below. $ORIGIN infosecinstitute.com.;This marks the beginning of the file$TTL86400; TTL is 24 hours, it could also be 1d or 1hinfosecinstitute.com IN SOA ns1.infosecinstitute.com.webmaster.infosecinstitute.com.
Prateek Gianchandani, a recent IIT graduate, has interests in the field of Penetration Testing, Web Application Security and Intrusion Detection. He is currently a researcher for InfoSec Institute. In the past he has worked for security-based startups.You can contact him at firstname.lastname@example.org and on twitter @prateekg147 or you can visit his personal website at highaltitudehacks.com. Free Training Tools. Editors Choice. Related Boot Camps. More Posts by Author.6 responses to “DNS Hacking (Beginner to Advanced)”.