DNS Reconnaissance is one of the basic steps and most important part of hacking. DNS stands for Domain Name Server, it keeps tracks of the record of IP addresses, services and resources connected to the Internet. Now as we know that computer works on binary numbers…So they would not actually understand the meaning of “www.google.com”, It needs to be converted in numerical form for computers to understand, The DNS works for the same. As the request passes from our computer to DNS server, it searches the records stored in it and then maps it into numerical form “188.8.131.52”, so that it could further process the request.
~DNS Works on port 53 and have connectionless orientation(UDP).
~Nslookup works as UDP
~Zone transfers works on TCP
So you have basic understanding of what actually is DNS server. Now Lets know how to get information from DNS servers.
Before starting out,I wanna give some explanation about some terms for you to know things quickly and easy.
*** Zone transfers or “AXFR”: Many company or ISP networks deploy multiple DNS server for the sake of redundancy or load balancing so that the traffic can eventually be controlled. As a result DNS servers need a way to share information to other load balancing servers. This sharing process occurs through the use of ZONE TRANSFER. During a zone transfer , also commonly known as AXFR, one DNS server will send all the host-to-ip mapping it contains to another DNS server. This process allows multiple DNS server to stay in sync.
*** SOA(Start of Authority): Each Zone contains its own SOA records. It actually stores information about the domain name server,email servers, serial key information, current versions, administrator of the zone,the number of seconds a secondary name server should wait before checking for updates; the number of seconds a secondary name server should wait before retrying a failed zone transfer; the maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire; and a default number of seconds for the time-to-live file on resource records.
*** Authoritative Answer: When any answer originates from the DNS server which has complete zone file information available from domain is said to be authoritative.
*** Non-Authoritative Answer: These answer originates from a DNS server when the complete zone file is not present in DNS and it maintain a cache file which has answer to question to queries in past for which it was authoritative.
Explanation about Reverse DNS and special PTR:
I found the below source from another website and the information is so clean that it would be best if you read it yourself and its easy to understand as well.
Reverse DNS is IP address to domain name mapping – the opposite of forward (normal) DNS which maps domain names to IP addresses.
Reverse DNS is separate from forward DNS.
Forward DNS for “abc.com” pointing to IP address “184.108.40.206”, does not necessarily mean that reverse DNS for IP “220.127.116.11” also points to “abc.com”.
This comes from two separate sets of data.
A special PTR-record type is used to store reverse DNS entries. The name of the PTR-record is the IP address with the segments reversed + “.in-addr.arpa”.
For example, the reverse DNS entry for IP 18.104.22.168 would be stored as a PTR-record for “22.214.171.124.in-addr.arpa”.
Reverse DNS is also different from forward DNS in who points the zone (domain name) to your DNS server.
With forward DNS, you point the zone to your DNS server by registering that domain name with a registrar.
With reverse DNS, your Internet connection provider (ISP) must point (or “sub-delegate”) the zone (“….in-addr.arpa”) to your DNS server.
Without this sub-delegation from your ISP, your reverse zone will not work. Reverse DNS is mostly used by humans for such things as tracking where a web-site visitor came from, or where an e-mail message originated etc.It is typically not as critical in as forward DNS – visitors will still reach your web-site just fine without any reverse DNS for your web-server IP or the visitor’s IP.
*** MX Records: Stands for Mail Exchange records. It keeps information about the email servers present in that DNS server for any particular domain.
*** TLD: Top Level Domains.They are at the top hierarchy in terms of domains (.com,.net,.org,.edu,.gov).
*** Host: Domain Name server contains many domain names. The owner of a domain name can define individual service by creating a host which can be accessible using that domain name. For Example, If a website “www.anydomain.com” created a ftp or download service where its client can download software, it might provide another service from domain name like “downloads.anydomain.com”.
Information We Could gain from DNS Recon:
- NS (Name Server) ->
- nslookup > set q = ns > target.com
- dig target.com ns
- NS records helps us identify the primary and slave name servers for a domain.With this information we can try Zone transfer.
- Host Address (A-IPv4 record)(AAAA-IPv6 record)
- nslookup >set q=a host.targetdomain.com
- dig targetdomain.com a
- “A” records provide a host-to-IP mapping for a specific host; performing an “A” record query return the IP address for the hostname provided; an “A” record lookup can provide a hacker with an IP (or set of IPs) to target.
- Reverse lookup (PTR) :
- nslookup > set q=ptr 126.96.36.199.in-addr.arpa
- dig 188.8.131.52.in-addr.arpa
- A “reverse” (PTR) record lookup returns the hostname for a given IP.This is useful where we have conducted some broad ping or port scans and needs to verify the identities of vulnerable hosts.
- Mail Server(MX):
- nslookup > set q =mx >target.com
- dig target.com mx
- MX (Mail Exchange) .This lookup povides information about mail servers for a target domain.We can obtain SMTP servers mailing list for further attacks.
- Host information (HINFO):
- nslookup >set q = hinfo > targetdomain.com
- dig targetdomain.com hinfo
- hinfo is disapproved because it actually provides useful information like software and hardware configuration but some organisation still might use it so its worth a try.
- TXT information (TXT):
- nslookup >Set q = txt > targetdomain.com
- dig targetdomain.com txt
- They are also disapproved as hinfo for the same reasons because they provide information about the host.But you can try.
- Services (SRV):
- nslookup > Set q = srv > targetdomain.com
- dig targetdomain.com srv
- SRV records maps services to different host and we can use it to identify the services used by the target.
- Zone Transfers:
- nslookup > set type=any > ls-d target.com
- dig target.com axfr
- Zone transfers can provide you information soa, subdomains,host mostly everything you need because it thinks you are a slave server and asking the primary server for copy of new entries.not applicable for security purpose and still there can be dis-configured DNS servers so you should try this.
Tools Which help extracting information from the DNS server:
- Nslookup – (Window and Linux)
- Dig(Domain Information Groper) – (kali linux)
- Host – (kali linux)
- Dnswalk – (kali linux) (~Subdomains and host searches~contains a list of host and subdomain and it checks if it exist or not)
- Sam Spade
- Demon Internet
- yougetsignal.com(Reverse DNS/IP reverse IP)
>> nslookup -query=any google.com
other queries that you can use
For Debugging purpose: nslookup -debug target.com
For time interval to wait for a reply: nslookup -timeout=10 redhat.com
For Zone transfer on a particular ip of a domain: dig ipaddress domain -t AXFR
Sources To Get More Information About DNS Servers:
Stay Anonymous 🙂