Domain Name System (DNS) – port 53

DNS is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.

Host name resolution

Browser -> DNS Client on OS -> external DNS server (DNS recursor) -> server in DNS root zone -> Top Level Domain (TLD, like .com)

• Domain Name System (Wikipedia)

DNS Interaction

If you receive a DNS request in Burp Collaborator, try HTTP on the DNS port.

http://<burp collaborator ID>:53/

DNS Enumeration – Online Tools

• Netcraft
• Security Trails

DNS Enumeration Tools

• dnsenum 
• dnsrecon
• host command
• Nmap – also find DNS using nmap sweep on port 53
• dig
• dns_transfer.sh 
• list_subdomains_and_ip.sh 
• list_subdomains_and_ip2.sh

Nmap scripts

IP=x.x.x.x
DOMAIN=example.com
ls -la /usr/share/nmap/scripts/dns*

nmap -Pn -sV -p 53 --script dns* --script-args dns-nsec-enum.domains=${DOMAIN} $IP

Enumeration of domain name servers

host command

# DNS Enumeration
# Megacorp One: demo site for testing
# Altoro mutual: fake banking for testing

# ns: all dns services that support specific websites
# Returns dns servers used to resolve this website
host -t ns example.com
host -t ns example.com | cut -d " " -f 4

# mx: mail services used by the website, with their priority
host -t mx megacorpone.com

dnsenum

❗ This tool tries zone transfers and bruteforcing. Do not use for recon only.

# Help
dnsenum

# Basic DNS enumeration
DOMAIN="zonetransfer.me"
dnsenum $DOMAIN

dnsrecon

# Help
dnsrecon

# Basic DNS enumeration
DOMAIN="example.com"
dnsrecon -d $DOMAIN -t axfr

DNS transfer

nmap

nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com

host command

# DNS Zone Transfer
# will try to get a copy from the DNS server (as if it were secondary server)
# try all DNS servers, will give all servers and their IP
# host domain nameserver
host -l megacorpone.com ns3.megacorpone.com

dig

# DNS Transfer
PORT=54011
DOMAIN="ch11.challenge01.somedomain.org"
IP=x.x.x.x

dig @${IP} -p $PORT $DOMAIN -t AXFR

# Example
dig @x.x.x.x -p 54011 ch11.challenge01.somedomain.org -t AXFR