DNS Attacks
DNS Process
Server Type
Server Type
Description
DNS Root Server
The root servers of the DNS are responsible for the top-level domains (TLD). As the last instance, they are only requested if the name server does not respond. Thus, a root server is a central interface between users and content on the Internet, as it links domain and IP address. The Internet Corporation for Assigned Names and Numbers (ICANN) coordinates the work of the root name servers. There are 13 such root servers around the globe.
Authoritative Nameserver
Authoritative name servers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point.
Non-authoritative Nameserver
Non-authoritative name servers are not responsible for a particular DNS zone. Instead, they collect information on specific DNS zones themselves, which is done using recursive or iterative DNS querying.
Caching DNS Server
Caching DNS servers cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage.
Forwarding Server
Forwarding servers perform only one function: they forward DNS queries to another DNS server.
Resolver
Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router.
DNS Record
Description
A
Returns an IPv4 address of the requested domain as a result.
AAAA
Returns an IPv6 address of the requested domain.
MX
Returns the responsible mail servers as a result.
NS
Returns the DNS servers (nameservers) of the domain.
TXT
This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam.
CNAME
This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.
PTR
The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA
Provides information about the corresponding DNS zone and email address of the administrative contact.
The
SOArecord is located in a domain's zone file and specifies who is responsible for the operation of the domain and how DNS information for the domain is managed.
Default Configuration
Local DNS Configuration
All DNS servers work with three different types of configuration files:
local DNS configuration files
zone files
reverse name resolution files
The DNS server Bind9 is very often used on Linux-based distributions.
Its local configuration file (
named.conf) is roughly divided into two sections,firstly the options section for general settings
secondly the zone entries for the individual domains.
The local configuration files are usually:
named.conf.localnamed.conf.optionsnamed.conf.log
The configuration file
named.confis divided into several options that control the behavior of the name server.A distinction is made between
global optionsandzone optionsGlobal options
are general and affect all zones
A zone option
only affects the zone to which it is assigned
Options not listed in named.conf have default values.
If an option is both global and zone-specific,
then the zone option takes precedence
DNS ZONE EXAMPLE
Zone Files
Reverse Name Resolution Zone Files
Dangerous Settings
DNS server can be attacked
bind9 has vulnerabilities
Option
Description
allow-query
Defines which hosts are allowed to send requests to the DNS server.
allow-recursion
Defines which hosts are allowed to send recursive requests to the DNS server.
allow-transfer
Defines which hosts are allowed to receive zone transfers from the DNS server.
zone-statistics
Collects statistical data of zones.
Types of DNS attacks
Domain hijacking
DNS flood attack
Distributed Reflection Denial of Service (DRDoS)
Cache poisoning
DNS tunnelling
DNS hijack attack
Random subdomain attack
NXDOMAIN attack
Phantom domain attack
Commands
DIG Commands
dig domain.com
Performs a default A record lookup for the domain.
dig domain.com A
Retrieves the IPv4 address (A record) associated with the domain.
dig domain.com AAAA
Retrieves the IPv6 address (AAAA record) associated with the domain.
dig domain.com MX
Finds the mail servers (MX records) responsible for the domain.
dig domain.com NS
Identifies the authoritative name servers for the domain.
dig domain.com TXT
Retrieves any TXT records associated with the domain.
dig domain.com CNAME
Retrieves the canonical name (CNAME) record for the domain.
dig domain.com SOA
Retrieves the start of authority (SOA) record for the domain.
dig @1.1.1.1 domain.com
Specifies a specific name server to query; in this case 1.1.1.1
dig +trace domain.com
Shows the full path of DNS resolution.
dig -x 192.168.1.1
Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.
dig +short domain.com
Provides a short, concise answer to the query.
dig +noall +answer domain.com
Displays only the answer section of the query output.
dig domain.com ANY
Retrieves all available DNS records for the domain (Note: Many DNS servers ignore ANY queries to reduce load and prevent abuse, as per RFC 8482).
DIG - NS Query
DIG - Version Query
DIG - ANY Query
Zone Transfer
DNS subdomain bruteforce
dnsenum
Result
gobuster
Dns Recon
Whois
Host
can be used to query data from dns server
Nslookup
dns-nsid
Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values
Reference
https://www.cloudflare.com/en-gb/learning/dns/glossary/dns-zone/
https://securitytrails.com/blog/most-popular-types-dns-attacks
Last updated