DNS - Port 53

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on Twitter @VeryLazyTech, Github @VeryLazyTech, and Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

Basic info

DNS (Domain Name System) is a critical protocol that acts as the internet's directory. It translates human-readable domain names like example.com into IP addresses, allowing browsers to connect to web services. Due to its essential role in internet functionality, DNS servers are common attack targets.

Default port: 53

PORT     STATE SERVICE  REASON
53/tcp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
5353/udp open  zeroconf udp-response
53/udp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)

Key DNS Concepts

DNS Root Servers: The highest level in the DNS hierarchy, maintaining top-level domain information.
Authoritative Nameservers: Provide definitive answers about domain zones they manage.
Caching DNS Servers: Temporarily store DNS query results to improve performance.
Forwarding Servers: Forward DNS queries to another server for resolution.

Config files

host.conf
/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*

Dangerous settings when configuring a Bind server:

Option

Description

allow-query

Defines which hosts are allowed to send requests to the DNS server.

allow-recursion

Defines which hosts are allowed to send recursive requests to the DNS server.

allow-transfer

Defines which hosts are allowed to receive zone transfers from the DNS server.

zone-statistics

Collects statistical data of zones.

Attack workflow

1. Reconnaissance and Enumeration

Banner Grabbing: Identify DNS version and services running on port 53. Banner Grabbing

2. DNS Zone Transfer Attack

Zone Transfer (AXFR): If DNS misconfigurations allow zone transfers, attackers can obtain sensitive domain records. Zone Transfer

3. DNS Subdomain Bruteforcing

Bruteforce Subdomains: Use wordlists to identify valid subdomains via DNS queries. Subdomain Brute-Forcing

4. Reverse DNS Lookup

Reverse DNS Lookup: Query PTR records to map IP addresses back to domain names. Reverse DNS Enumeration

5. DNS ANY Query

ANY Query: Query the DNS server for all available records it is willing to disclose. ANY Query Enumeration

6. DNSSEC Exploitation

DNSSEC Enumeration: Identify DNSSEC configurations and attempt exploitation or abuse. DNSSEC Vulnerability Scanning

7. DNS Amplification Attack (DDoS Simulation)

DNS Recursion Check: If recursion is enabled, the server may allow amplification attacks. DNS Recursion Testing

8. Active Directory DNS Service Enumeration

Service Enumeration: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog. Active Directory DNS Service Enumeration

9. IPv6 DNS Bruteforcing

IPv6 DNS Bruteforce: Target AAAA records to uncover subdomains with IPv6 addresses. IPv6 DNS Bruteforce

10. Exploit Misconfigured Mail Servers

Mail Nondelivery Exploitation: Use misconfigured DNS for email servers to gather internal network information. Mail Server Enumeration via DNS

Penetration Testing Techniques for DNS

Banner Grabbing

Banner grabbing for DNS may involve querying for version information or other metadata that a DNS server discloses. A classic way to gather this is by querying the version.bind using DNS CHAOS requests or nmap scripts.

Dig:

dig version.bind CHAOS TXT @<DNS_SERVER_IP>

Nmap:

nmap -sV --script dns-nsid <DNS_SERVER_IP>

fpdns:

fpdns <DNS_SERVER_IP>

Zone Transfer

DNS zone transfer (AXFR) can leak entire domain zone information, including subdomains, services, and IP addresses. It's often a result of misconfigured DNS servers.

Dig:

dig axfr @<DNS_SERVER_IP> <DOMAIN>

Fierce:

fierce --domain <DOMAIN> --dns-servers <DNS_SERVER_IP>

Dnsrecon:

dnsrecon -t axfr -d <DOMAIN> -n <DNS_SERVER_IP>

ANY Query Enumeration

Using an ANY query, testers can attempt to retrieve all records a DNS server is willing to share.

Dig:

dig ANY <DOMAIN> @<DNS_SERVER_IP>

Dnsenum:

dnsenum --dnsserver <DNS_SERVER_IP> --enum -p 0 -s 0 -o output.txt <DOMAIN>

Dnsrecon:

dnsrecon -d <DOMAIN> -t any -n <DNS_SERVER_IP>

Subdomain Brute-Forcing

Subdomain brute-forcing is an effective technique to uncover hidden services or subdomains associated with a target domain.

Dnsenum:

dnsenum --dnsserver <DNS_SERVER_IP> -f subdomains.txt <DOMAIN>

Dnscan:

dnscan -d <DOMAIN> -w subdomains.txt -r

Dnsrecon:

dnsrecon -D subdomains.txt -d <DOMAIN> -n <DNS_SERVER_IP>

Reverse DNS Enumeration

Reverse DNS lookups allow attackers to map IP ranges to associated domain names, potentially exposing internal or less public-facing resources.

Dnsrecon:

dnsrecon -r <IP_RANGE> -n <DNS_SERVER_IP>

Reverse-Scan: Use reverse-scan for efficient reverse DNS enumeration.

reverse-scan -i <IP_RANGE> -d <DNS_SERVER_IP>

Dig:

dig -x <IP_ADDRESS> @<DNS_SERVER_IP>

DNSSEC Vulnerability Scanning

DNSSEC is designed to provide an additional layer of security, but vulnerabilities can still exist in misconfigured setups. You can exploit DNSSEC records for potential DDoS or data exfiltration attacks.

Nmap:

nmap -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=<DOMAIN> <DNS_SERVER_IP>

Dig (manual DNSSEC check):

dig DNSKEY <DOMAIN> @<DNS_SERVER_IP>

DNS Recursion Testing

DNS recursion allows DNS servers to query other DNS servers on behalf of a client. If improperly configured, this can be exploited for DNS amplification attacks.

Dig:

dig google.com A @<DNS_SERVER_IP>

Nmap:

nmap --script dns-recursion <DNS_SERVER_IP>

Nslookup:

nslookup
> SERVER <DNS_SERVER_IP>
> google.com

Mail Server Enumeration via DNS

Misconfigured DNS records often leak internal infrastructure information. By querying for mail exchange (MX) or service (SRV) records, you can learn about target email servers.

Dig:

dig MX <DOMAIN> @<DNS_SERVER_IP>
dig SRV _ldap._tcp.<DOMAIN> @<DNS_SERVER_IP>

Nslookup:

nslookup
> server <DNS_SERVER_IP>
> set type=MX
> <DOMAIN>

Nmap:

nmap --script dns-srv-enum --script-args dns-srv-enum.domain=<DOMAIN> <DNS_SERVER_IP>

Active Directory DNS Service Enumeration

Enumerate DNS services related to Active Directory for additional attack vectors.

Service Enumeration: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog.

bashCopy code# Dig for AD services
dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com

# Nslookup AD services
nslookup
> set type=srv
> _kerberos._tcp.<DOMAIN>

IPv6 DNS Bruteforce

Dnsdict6:

dnsdict6 -t <DOMAIN>

Dnsrevenum6:

dnsrevenum6 <DNS_SERVER_IP> <IPV6_RANGE>

PreviousTACACS+ - Port 49 NextTFTP/Bittorrent-tracker - Port 69/UDP

Last updated 9 months ago

Was this helpful?