DNS is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.
Host name resolution
Browser -> DNS Client on OS -> external DNS server (DNS recursor) -> server in DNS root zone -> Top Level Domain (TLD, like .com)
- Domain Name System (Wikipedia)
DNS Interaction
If you receive a DNS request in Burp Collaborator, try HTTP on the DNS port.
http://<burp collaborator ID>:53/
DNS Enumeration – Online Tools
DNS Enumeration Tools
- dnsenum
- dnsrecon
- host command
- Nmap – also find DNS using nmap sweep on port 53
- dig
- dns_transfer.sh
- list_subdomains_and_ip.sh
- list_subdomains_and_ip2.sh
Nmap scripts
IP=x.x.x.x
DOMAIN=example.com
ls -la /usr/share/nmap/scripts/dns*
nmap -Pn -sV -p 53 --script dns* --script-args dns-nsec-enum.domains=${DOMAIN} $IP
Enumeration of domain name servers
host command
# DNS Enumeration
# Megacorp One: demo site for testing
# Altoro mutual: fake banking for testing
# ns: all dns services that support specific websites
# Returns dns servers used to resolve this website
host -t ns example.com
host -t ns example.com | cut -d " " -f 4
# mx: mail services used by the website, with their priority
host -t mx megacorpone.com
dnsenum
This tool tries zone transfers and bruteforcing. Do not use for recon only.
# Help
dnsenum
# Basic DNS enumeration
DOMAIN="zonetransfer.me"
dnsenum $DOMAIN
dnsrecon
# Help
dnsrecon
# Basic DNS enumeration
DOMAIN="example.com"
dnsrecon -d $DOMAIN -t axfr
DNS transfer
nmap
nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
host command
# DNS Zone Transfer
# will try to get a copy from the DNS server (as if it were secondary server)
# try all DNS servers, will give all servers and their IP
# host domain nameserver
host -l megacorpone.com ns3.megacorpone.com
dig
# DNS Transfer
PORT=54011
DOMAIN="ch11.challenge01.somedomain.org"
IP=x.x.x.x
dig @${IP} -p $PORT $DOMAIN -t AXFR
# Example
dig @x.x.x.x -p 54011 ch11.challenge01.somedomain.org -t AXFR