DNS (53)

Domain Name System.

Protocol Information

The DNS system is responsible for translating human-readable hostnames into machine-readable IP addresses, and vice versa.

DNS recursive resolver is activated, which makes several requests: - Root Name Server (are 13) - Top Level Domain (.com, .it, CountryCode, etc.) - Authoritative Name Server (example.com).

DNS Records provides specific information. - NS : Returns the DNS servers (NameServers) of the domain, responsible for the Authoritative Name Server of the zone. - A : Hostname to IPv4. - AAAA : Hostname to IPv6. - PTR : IP to Hostname. - CNAME : Associate an alias with a hostname, with the hostname associated with an A. e.g., A for hackthebox.eu and CNAME for www.hackthebox.eu - MX : Mail Exchange, identifies hosts that will accept emails for a specific host. Returns the responsible mail servers. - TXT : Contains various textual information. - ANY : To get all records, but RFC8482 specifies that they would be dropped, so they might not respond. - SOA : It provides information about the corresponding DNS zone and the e-mail address of the administrative contact. The SOA record is found in a domain's zone file and specifies who is responsible for operating the domain and how DNS information for the domain is managed. The dot (.) is replaced by a snail symbol (@) in the email address.

Port

53 UDP	DNS (unencrypted)
53 TCP	DNS (encrypted)

Config File

The hosts file is located at:

• Windows: C:\\Windows\System32\drivers\etc\hosts

• Linux e MacOS: /etc/hosts

Bind9

• /etc/bind/named.conf.local

• /etc/bind/named.conf.options

• /etc/bind/named.conf.log

Interact

Enumeration

host -t <TYPE> <DOMAIN> [<DNS_SERVER>]

nslookup -query=<TYPE> <DOMAIN> [<DNS_SERVER>] 
nslookup -type=<TYPE> <DOMAIN> [<DNS_SERVER>]

dig <TYPE> <DOMAIN> [@<DNS_SERVER>]

Website

Website	Details
Hurricane Electric	For the enumeration of DNS TYPEs.
viewDNS	For many specific DNS information.
DNSDumpster	Discover hosts related to a domain.

Attacks

Zone Transfer

Other attacks