# DNS Attacks ## DNS Process

### Server Type

| **Server Type** | **Description** | | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `DNS Root Server` | The root servers of the DNS are responsible for the top-level domains (`TLD`). As the last instance, they are only requested if the name server does not respond. Thus, a root server is a central interface between users and content on the Internet, as it links domain and IP address. The [Internet Corporation for Assigned Names and Numbers](https://www.icann.org/) (`ICANN`) coordinates the work of the root name servers. There are `13` such root servers around the globe. | | `Authoritative Nameserver` | Authoritative name servers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point. | | `Non-authoritative Nameserver` | Non-authoritative name servers are not responsible for a particular DNS zone. Instead, they collect information on specific DNS zones themselves, which is done using recursive or iterative DNS querying. | | `Caching DNS Server` | Caching DNS servers cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage. | | `Forwarding Server` | Forwarding servers perform only one function: they forward DNS queries to another DNS server. | | `Resolver` | Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router. | | | | | **DNS Record** | **Description** | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `A` | Returns an IPv4 address of the requested domain as a result. | | `AAAA` | Returns an IPv6 address of the requested domain. | | `MX` | Returns the responsible mail servers as a result. | | `NS` | Returns the DNS servers (nameservers) of the domain. | | `TXT` | This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam. | | `CNAME` | This record serves as an alias. If the domain [www.hackthebox.eu](http://www.hackthebox.eu) should point to the same IP, and we create an A record for one and a CNAME record for the other. | | `PTR` | The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names. | | `SOA` | Provides information about the corresponding DNS zone and email address of the administrative contact. | * The `SOA` record is located in a domain's zone file and specifies who is responsible for the operation of the domain and how DNS information for the domain is managed. ```shell-session dig soa www.inlanefreight.com ``` ```shell-session ; <<>> DiG 9.16.27-Debian <<>> soa www.inlanefreight.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15876 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.inlanefreight.com. IN SOA ;; AUTHORITY SECTION: inlanefreight.com. 900 IN SOA ns-161.awsdns-20.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;; Query time: 16 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jan 05 12:56:10 GMT 2023 ;; MSG SIZE rcvd: 128 ``` ### Default Configuration #### Local DNS Configuration ```shell-session cat /etc/bind/named.conf.local ``` ```shell-session // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "domain.com" { type master; file "/etc/bind/db.domain.com"; allow-update { key rndc-key; }; }; ``` * All DNS servers work with three different types of configuration files: 1. local DNS configuration files 2. zone files 3. reverse name resolution files * The DNS server [Bind9](https://www.isc.org/bind/) is very often used on Linux-based distributions. * Its local configuration file (`named.conf`) is roughly divided into two sections, * firstly the options section for general settings * secondly the zone entries for the individual domains. * The local configuration files are usually: * `named.conf.local` * `named.conf.options` * `named.conf.log` * The configuration file `named.conf` is divided into several options that control the behavior of the name server. * A distinction is made between `global options` and `zone options` * Global options * are general and affect all zones * A zone option * only affects the zone to which it is assigned * Options not listed in named.conf have default values. * If an option is both global and zone-specific, * then the zone option takes precedence #### DNS ZONE EXAMPLE

**Zone Files** ```shell-session cat /etc/bind/db.domain.com ``` ```shell-session ; ; BIND reverse data file for local loopback interface ; $ORIGIN domain.com $TTL 86400 @ IN SOA dns1.domain.com. hostmaster.domain.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS ns1.domain.com. IN NS ns2.domain.com. IN MX 10 mx.domain.com. IN MX 20 mx2.domain.com. IN A 10.129.14.5 server1 IN A 10.129.14.5 server2 IN A 10.129.14.7 ns1 IN A 10.129.14.2 ns2 IN A 10.129.14.3 ftp IN CNAME server1 mx IN CNAME server1 mx2 IN CNAME server2 www IN CNAME server2 ``` **Reverse Name Resolution Zone Files** ```shell-session cat /etc/bind/db.10.129.14 ``` ```shell-session ; ; BIND reverse data file for local loopback interface ; $ORIGIN 14.129.10.in-addr.arpa $TTL 86400 @ IN SOA dns1.domain.com. hostmaster.domain.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS ns1.domain.com. IN NS ns2.domain.com. 5 IN PTR server1.domain.com. 7 IN MX mx.domain.com. ...SNIP... ``` ### Dangerous Settings * DNS server can be attacked * bind9 has vulnerabilities | **Option** | **Description** | | ----------------- | ------------------------------------------------------------------------------ | | `allow-query` | Defines which hosts are allowed to send requests to the DNS server. | | `allow-recursion` | Defines which hosts are allowed to send recursive requests to the DNS server. | | `allow-transfer` | Defines which hosts are allowed to receive zone transfers from the DNS server. | | `zone-statistics` | Collects statistical data of zones. | ### Types of DNS attacks * Domain hijacking * DNS flood attack * Distributed Reflection Denial of Service (DRDoS) * Cache poisoning * DNS tunnelling * DNS hijack attack * Random subdomain attack * NXDOMAIN attack * Phantom domain attack * [Reference](https://securitytrails.com/blog/most-popular-types-dns-attacks) ## Commands ### DIG Commands | Command | Description | | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `dig domain.com` | Performs a default A record lookup for the domain. | | `dig domain.com A` | Retrieves the IPv4 address (A record) associated with the domain. | | `dig domain.com AAAA` | Retrieves the IPv6 address (AAAA record) associated with the domain. | | `dig domain.com MX` | Finds the mail servers (MX records) responsible for the domain. | | `dig domain.com NS` | Identifies the authoritative name servers for the domain. | | `dig domain.com TXT` | Retrieves any TXT records associated with the domain. | | `dig domain.com CNAME` | Retrieves the canonical name (CNAME) record for the domain. | | `dig domain.com SOA` | Retrieves the start of authority (SOA) record for the domain. | | `dig @1.1.1.1 domain.com` | Specifies a specific name server to query; in this case 1.1.1.1 | | `dig +trace domain.com` | Shows the full path of DNS resolution. | | `dig -x 192.168.1.1` | Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server. | | `dig +short domain.com` | Provides a short, concise answer to the query. | | `dig +noall +answer domain.com` | Displays only the answer section of the query output. | | `dig domain.com ANY` | Retrieves all available DNS records for the domain (Note: Many DNS servers ignore `ANY` queries to reduce load and prevent abuse, as per [RFC 8482](https://datatracker.ietf.org/doc/html/rfc8482)). | #### DIG - NS Query ```shell-session dig ns inlanefreight.htb @10.129.14.128 ``` ```shell-session ; <<>> DiG 9.16.1-Ubuntu <<>> ns inlanefreight.htb @10.129.14.128 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45010 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ce4d8681b32abaea0100000061475f73842c401c391690c7 (good) ;; QUESTION SECTION: ;inlanefreight.htb. IN NS ;; ANSWER SECTION: inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. ;; ADDITIONAL SECTION: ns.inlanefreight.htb. 604800 IN A 10.129.34.136 ;; Query time: 0 msec ;; SERVER: 10.129.14.128#53(10.129.14.128) ;; WHEN: So Sep 19 18:04:03 CEST 2021 ;; MSG SIZE rcvd: 107 ``` #### DIG - Version Query ```shell-session dig CH TXT version.bind 10.129.120.85 ``` ```shell-session ; <<>> DiG 9.10.6 <<>> CH TXT version.bind ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47786 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; ANSWER SECTION: version.bind. 0 CH TXT "9.10.6-P1" ;; ADDITIONAL SECTION: version.bind. 0 CH TXT "9.10.6-P1-Debian" ;; Query time: 2 msec ;; SERVER: 10.129.120.85#53(10.129.120.85) ;; WHEN: Wed Jan 05 20:23:14 UTC 2023 ;; MSG SIZE rcvd: 101 ``` #### DIG - ANY Query ```shell-session dig any inlanefreight.htb @10.129.14.128 ``` ```shell-session ; <<>> DiG 9.16.1-Ubuntu <<>> any inlanefreight.htb @10.129.14.128 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7649 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 064b7e1f091b95120100000061476865a6026d01f87d10ca (good) ;; QUESTION SECTION: ;inlanefreight.htb. IN ANY ;; ANSWER SECTION: inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all" inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU" inlanefreight.htb. 604800 IN TXT "MS=ms97310371" inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. ;; ADDITIONAL SECTION: ns.inlanefreight.htb. 604800 IN A 10.129.34.136 ;; Query time: 0 msec ;; SERVER: 10.129.14.128#53(10.129.14.128) ;; WHEN: So Sep 19 18:42:13 CEST 2021 ;; MSG SIZE rcvd: 437 ``` ### Zone Transfer * [DNS Zone Transfer Attack](/cybersecurity/dns-attacks/dns-zone-transfer-attack.md) ### DNS subdomain bruteforce ```shell-session for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done ``` #### dnsenum ``` dnsenum megacorpone.com ``` ```shell-session dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb ``` **Result** ```shell-session dnsenum VERSION:1.2.6 ----- inlanefreight.htb ----- Host's addresses: __________________ Name Servers: ______________ ns.inlanefreight.htb. 604800 IN A 10.129.34.136 Mail (MX) Servers: ___________________ Trying Zone Transfers and getting Bind Versions: _________________________________________________ unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 900 thread 1. Trying Zone Transfer for inlanefreight.htb on ns.inlanefreight.htb ... AXFR record query failed: no nameservers Brute forcing with /home/cry0l1t3/Pentesting/SecLists/Discovery/DNS/subdomains-top1million-110000.txt: _______________________________________________________________________________________________________ ns.inlanefreight.htb. 604800 IN A 10.129.34.136 mail1.inlanefreight.htb. 604800 IN A 10.129.18.201 app.inlanefreight.htb. 604800 IN A 10.129.18.15 ns.inlanefreight.htb. 604800 IN A 10.129.34.136 ...SNIP... done. ``` #### gobuster ```bash gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt ``` #### Dns Recon ``` dnsrecon -d megacorpone.com -t std ``` #### Whois ``` whois wehost.co.in ``` #### Host ``` host wehost.co.in ``` * can be used to query data from dns server ``` host -t txt megacorpone.com ``` #### Nslookup ``` nslookup mail.megacorptwo.com ``` ### dns-nsid * Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values ``` nmap -sSU -p 53 --script dns-nsid ``` ## Reference * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wehost.co.in/cybersecurity/dns-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.