53 - DNS

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

REFERENCES
Most Popular Types of DNS Attacks	See here

DNS → Domain Name System

Enumeration

Nameserver Query

Query for All Available Nameservers

Dig

dig ns <DOMAIN> @<TARGET> +short

Dig

Query for DNS Server Version

dig CHAOS TXT version.bind @<TARGET> +short # Or CH

Nmap

nmap -p<DNS_PORT> --script dns-nsid -vvv -Pn <TARGET>

ANY Query

Query for All Available DNS Records

dig ANY <DOMAIN> @<TARGET>

Important

It is important to note that not all entries related to DNS Records in the zone will be displayed

Query for Specific DNS Records

A - AAAA

dig A <DOMAIN> @<TARGET>
dig AAAA <DOMAIN> @<TARGET>

MX

dig MX <DOMAIN> @<TARGET>

TXT

dig TXT <DOMAIN> @<TARGET>

CNAME

dig CNAME <DOMAIN> @<TARGET>

DNS Zone Transfer

Asynchronous Full Transfer Zone

Dig

Only DNS Records’ value from DNS Answer

dig AXFR @<TARGET> +short
dig AXFR @<TARGET> <DOMAIN> +short

Full DNS Answer

dig AXFR @<TARGET> +noall +answer
dig AXFR @<TARGET> <DOMAIN> +noall +answer

Fierce

Fierce

fierce --domain <DOMAIN>

Subdomains Enumeration

Tools

TOOL
DNSEnum	See here
Fierce	See here
DNSRecon	See here
Amass	See here
AssetFinder	See here
PureDNS	See here

Passive

Amass

Amass

Passive Mode

amass enum -passive -d <DOMAIN>

Subfinder

Subfinder

subfinder -v -d <DOMAIN>

Sublist3r

Sublist3r

python sublist3r.py --domain <DOMAIN>

Active - Subdomain Brute-Force

Dig

while IFS= read -r _subdomain ; do printf "%s.<DOMAIN> -> %s\n" "$_subdomain" "$( dig "$_subdomain".<DOMAIN> @<RESOLVER> +short)" ; done < <WORDLIST>

Gobuster

Reference

gobuster dns --resolver <RESOLVER> --domain <DOMAIN> --wordlist <WORDLIST>

Amass

Active Mode

amass enum -active -brute -w <WORDLIST> -d <DOMAIN> -o <OUTPUT_FILE>

DNSEnum

Reference

dnsenum --enum <DOMAIN> -f <WORDLIST> -r

Sublist3r

Subbrute module enabled

python sublist3r.py --domain <DOMAIN> --bruteforce

[sub]Domain Takeover

Resources

Can-I-take-over-XYZ

DNS Spoofing

Local DNS Spoofing

This can be carried out if an attacker achieves to compromise the Primary DNS Server of the victim i.e. usually the DC on Active Directory environments, or sets up a rogue DNS Server on the network which becomes the Primary DNS Server of the victim

The latter can be achieved through DHCPv6 Spoofing, where an attacker uses tools such as mitm6 to send IPv6 RA (Router Adversitement) to the network hosts and waits for clients to respond back with a DHCPv6 SOLICIT message

The client ends with an IPv6 configuration where the DNS Primary Server is the attacker’s DNS Rogue Server

Therefore, any NR (Name Resolution) via DNS from the victim is sent to the attacker

+ Info

- DNS SPOOFING

💥Cyb3rBook

Explorer

53 - DNS

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Enumeration

Nameserver Query

Dig

Banner Grabbing

Dig

Nmap

ANY Query

Query for Specific DNS Records

A - AAAA

MX

TXT

CNAME

DNS Zone Transfer

Asynchronous Full Transfer Zone

Dig

Fierce

Subdomains Enumeration

Tools

Passive

Amass

Subfinder

Sublist3r

Active - Subdomain Brute-Force

Dig

Gobuster

Amass

DNSEnum

Sublist3r

[sub]Domain Takeover

Resources

DNS Spoofing

Local DNS Spoofing

+ Info

Graph View

Table of Contents

Backlinks