DNS - 53
- domain name -> IP addresses
- DNS Server types:
- DNS resolving IPs:
- DNS Records Explained:
Zone transferrefers to the transfer of zones to another server in DNS, which generally happens over TCP port 53.- This procedure is abbreviated
Asynchronous Full Transfer Zone (AXFR) - Done using a secret
rndc-key
Default Config:
- DNS servers work with three different types of configuration files:
- local DNS configuration files
- zone files
- reverse name resolution files
- DNS Server
bind9is used on Linux named.conffile is used for settings and zone entries
Dangerous Settings:
- attacks *
Commands:
dnsenum --enum <target.com> -f /opt/SecLists/Discovery/DNS -rdig soa <IP>- In the authority section - The dot (.) is replaced by an at sign (@) in the email address.
dig ns inlanefreight.htb @10.129.14.128- @IP -
dig CH TXT version.bind 10.129.120.85- find DNS server's version using a class CHAOS query and type TXT if the entry exists on the DNS serverdig any inlanefreight.htb @10.129.14.128- view all available recordsdig axfr inlanefreight.htb @10.129.14.128- AXFR Zone transferdig axfr internal.inlanefreight.htb @10.129.14.128- AXFR Internal Zone Transfer-
Zone Transfer is the complete copy of all the main and sub domains from one name server to another.
\
-
Subdomain Brute forcing using seclists:
for sub in $(cat /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done- Subdomain brute forcing using dnsenum:
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt inlanefreight.htb