Pentesting DNS

Introduction

The first thing you do in Pentesting dns is figuring out the target’s IP address. This is called the Recon phase, where the real work begins.

Once you have the IP address, you can dig deeper to find out more about the target’s network and the services it’s running on different ports.

After that, it’s all up to you how you want to go about Pentesting. Get creative with your approach!

Definition of DNS

A DNS server is like a translator for the internet. When you type a website name like “google.com” into your browser, the DNS server translates that name into a numerical IP address that computers understand.

For example, when you search for “google.com”, your request goes to a DNS server. The server figures out that “google.com” is located at a specific IP address. Then, your browser sends a request to that IP address, and the webpage comes back to your browser.

DNS servers handle things like keeping track of website names and their associated IP addresses. They also manage other important information, like where emails for a specific domain should be sent.

In simpler terms, DNS servers help your computer find and connect to websites by translating website names into computer-friendly IP addresses.

What is DNS Enumeration

When you’re asking a DNS server for different kinds of info like computer names, IP addresses, mail servers, and other DNS records, it’s called DNS Interrogation. You’re basically asking it questions about the things you need to know on the internet.

Host

So, when you type in the terminal:

“The host tool resolves the domain (instagram.com) to these IP addresses:”

You’re basically asking the host tool to figure out the IP addresses associated with the domain “instagram.com.” It’s like asking it, “Hey, what are the numerical addresses for Instagram’s website?”

So, when you use the host tool, it tells you the IPv4 address and the IPv6 address for a domain like instagram.com. It also gives you info about the mail server associated with that domain.

If you’re only interested in specific details and don’t want all the info that’s usually shown, you can use what are called host filters or flags. For example, if you’re specifically looking for a name server for instagram.com, you can type:

Based on this information, you can figure out that these name servers are used by Instagram as its DNS providers.

If you want to specifically search for the mail server associated with a domain, you can also specify that in your query.

You can also use the host command for reverse lookup.

For instance:

$ host (IP address of the domain name — in this case, instagram.com, which you found in the previous host lookup. See above.)

Nslookup

It’s a really powerful tool indeed!

For instance, you can use nslookup for a straightforward domain lookup like this:

To do a more thorough search, you can try something like this:

Dig

Dig is often called the DNS Swiss army knife because it’s incredibly versatile and useful for various DNS-related tasks.

If you want to specify the type of DNS record you’re interested in, you can do that too. Just specify the record type you’re looking for.

For a basic domain lookup using dig, you can just enter:

To see all the available options, simply type:

To look up IPv6 addresses, you can use the following command:

To look up CNAME records, you can use the following command

To dig for the mail server, you can use the following command

To perform a name server lookup, you can use the following command

You can also shorten your lookup by simply typing

You can also script with dig like this

$ for ip in $(dig linkedin.com +short); do nmap -sC -sV -Pn $ip; done

This script basically does a scan using Nmap for each IP address associated with the domain “linkedin.com”.

Conclusion

In summary, DNS tools like host, dig, and nslookup are essential for querying and managing DNS information.

From basic lookups to advanced operations like querying specific record types or conducting network scans, these tools provide valuable insights into internet infrastructure.

They are indispensable for troubleshooting, security assessments, and exploring DNS intricacies.


Also Read: Pentesting SMTP

FAQ

  1. What is DNS?
    DNS is like the internet’s phonebook. It turns website names (like google.com) into numbers that computers understand to help you reach the right place online.
  2. How does DNS work?
    When you type a website name, your computer asks a special server (DNS server) for the website’s number. Once it gets the number, your computer can connect to the website.
  3. What is a CNAME record?
    A CNAME record is like a nickname for a website. It lets different names lead to the same place online.
  4. What is an A record?
    An A record is like the direct phone number for a website. It links a website name to its specific number.
  5. What is an MX record?
    An MX record helps with email. It tells which server handles emails for a specific website.
  6. How do I change my DNS server?
    You can change your DNS server by adjusting settings on your computer or router. It’s like telling your device to use a different phonebook.