53 - DNS - CSPSec

# **Basic Information** According to [HTB Academy](https://academy.hackthebox.com/module/112/section/1069): > `Domain Name System` (`DNS`) is an integral part of the Internet. For example, through domain names, such as [academy.hackthebox.com](https://academy.hackthebox.com/) or [www.hackthebox.com](https://www.hackthebox.eu/), we can reach the web servers that the hosting provider has assigned one or more specific IP addresses. DNS is a system for resolving computer names into IP addresses, and it does not have a central database. Simplified, we can imagine it like a library with many different phone books. The information is distributed over many thousands of name servers. Globally distributed DNS servers translate domain names into IP addresses and thus control which server a user can reach via a particular domain. There are several types of DNS servers that are used worldwide: | **Server Type** | **Description** | | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `DNS Root Server` | The root servers of the DNS are responsible for the top-level domains (`TLD`). As the last instance, they are only requested if the name server does not respond. Thus, a root server is a central interface between users and content on the Internet, as it links domain and IP address. The [Internet Corporation for Assigned Names and Numbers](https://www.icann.org/) (`ICANN`) coordinates the work of the root name servers. There are `13` such root servers around the globe. | | `Authoritative Nameserver` | Authoritative name servers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point. Based on the country, company, etc., authoritative nameservers provide answers to recursive DNS nameservers, assisting in finding the specific web server(s). | | `Non-authoritative Nameserver` | Non-authoritative name servers are not responsible for a particular DNS zone. Instead, they collect information on specific DNS zones themselves, which is done using recursive or iterative DNS querying. | | `Caching DNS Server` | Caching DNS servers cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage. | | `Forwarding Server` | Forwarding servers perform only one function: they forward DNS queries to another DNS server. | | `Resolver` | Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router. | > Different `DNS records` are used for the DNS queries, which all have various tasks. Moreover, separate entries exist for different functions since we can set up mail servers and other servers for a domain. | **DNS Record** | **Description** | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `A` | Returns an IPv4 address of the requested domain as a result. | | `AAAA` | Returns an IPv6 address of the requested domain. | | `MX` | Returns the responsible mail servers as a result. | | `NS` | Returns the DNS servers (nameservers) of the domain. | | `TXT` | This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam. | | `CNAME` | This record serves as an alias for another domain name. If you want the domain www.hackthebox.eu to point to the same IP as hackthebox.eu, you would create an A record for hackthebox.eu and a CNAME record for www.hackthebox.eu. | | `PTR` | The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names. | | `SOA` | Provides information about the corresponding DNS zone and email address of the administrative contact. | ```bash # view configuration file, for Bind9 cat /etc/bind/named.conf.local cat /etc/bind/named.conf.options cat /etc/bind/named.conf.log ``` # **Enumeration** - To perform subdomain enumeration reference [[Subdomain Enumeration]] - Obtain the target DNS server IP by referencing the NS record for the target domain ## **Scanning** ```bash ``` ## **Query Records** ```bash # query SOA record # admin email is in the form of user.domain.com -> [email protected] dig soa <target_domain> @<target_dns_server> # query ns record dig ns <target_domain> @<target_dns_server> # query DNS server's version dig CH TXT version.bind <target_ip> # query all available records dig any <target_domain> @<target_dns_server> # perform AXFR zone transfer, this can leak internal IPs dig axfr <target_domain> @<target_dns_server> ``` # **References** # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |