DNS - Port 53
Basic info
DNS (Domain Name System) is a critical protocol that acts as the internet's directory. It translates human-readable domain names like example.com into IP addresses, allowing browsers to connect to web services. Due to its essential role in internet functionality, DNS servers are common attack targets.
Default port: 53
PORT STATE SERVICE REASON
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
5353/udp open zeroconf udp-response
53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)Key DNS Concepts
DNS Root Servers: The highest level in the DNS hierarchy, maintaining top-level domain information.
Authoritative Nameservers: Provide definitive answers about domain zones they manage.
Caching DNS Servers: Temporarily store DNS query results to improve performance.
Forwarding Servers: Forward DNS queries to another server for resolution.
Config files
host.conf
/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*Dangerous settings when configuring a Bind server:
Option
Description
allow-query
Defines which hosts are allowed to send requests to the DNS server.
allow-recursion
Defines which hosts are allowed to send recursive requests to the DNS server.
allow-transfer
Defines which hosts are allowed to receive zone transfers from the DNS server.
zone-statistics
Collects statistical data of zones.
Attack workflow
1. Reconnaissance and Enumeration
Banner Grabbing: Identify DNS version and services running on port 53. Banner Grabbing
2. DNS Zone Transfer Attack
Zone Transfer (AXFR): If DNS misconfigurations allow zone transfers, attackers can obtain sensitive domain records. Zone Transfer
3. DNS Subdomain Bruteforcing
Bruteforce Subdomains: Use wordlists to identify valid subdomains via DNS queries. Subdomain Brute-Forcing
4. Reverse DNS Lookup
Reverse DNS Lookup: Query PTR records to map IP addresses back to domain names. Reverse DNS Enumeration
5. DNS ANY Query
ANY Query: Query the DNS server for all available records it is willing to disclose. ANY Query Enumeration
6. DNSSEC Exploitation
DNSSEC Enumeration: Identify DNSSEC configurations and attempt exploitation or abuse. DNSSEC Vulnerability Scanning
7. DNS Amplification Attack (DDoS Simulation)
DNS Recursion Check: If recursion is enabled, the server may allow amplification attacks. DNS Recursion Testing
8. Active Directory DNS Service Enumeration
Service Enumeration: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog. Active Directory DNS Service Enumeration
9. IPv6 DNS Bruteforcing
IPv6 DNS Bruteforce: Target AAAA records to uncover subdomains with IPv6 addresses. IPv6 DNS Bruteforce
10. Exploit Misconfigured Mail Servers
Mail Nondelivery Exploitation: Use misconfigured DNS for email servers to gather internal network information. Mail Server Enumeration via DNS
Penetration Testing Techniques for DNS
Banner Grabbing
Banner grabbing for DNS may involve querying for version information or other metadata that a DNS server discloses. A classic way to gather this is by querying the version.bind using DNS CHAOS requests or nmap scripts.
Dig:
dig version.bind CHAOS TXT @<DNS_SERVER_IP>Nmap:
nmap -sV --script dns-nsid <DNS_SERVER_IP>fpdns:
fpdns <DNS_SERVER_IP>Zone Transfer
DNS zone transfer (AXFR) can leak entire domain zone information, including subdomains, services, and IP addresses. It's often a result of misconfigured DNS servers.
Dig:
dig axfr @<DNS_SERVER_IP> <DOMAIN>Fierce:
fierce --domain <DOMAIN> --dns-servers <DNS_SERVER_IP>Dnsrecon:
dnsrecon -t axfr -d <DOMAIN> -n <DNS_SERVER_IP>ANY Query Enumeration
Using an ANY query, testers can attempt to retrieve all records a DNS server is willing to share.
Dig:
dig ANY <DOMAIN> @<DNS_SERVER_IP>Dnsenum:
dnsenum --dnsserver <DNS_SERVER_IP> --enum -p 0 -s 0 -o output.txt <DOMAIN>Dnsrecon:
dnsrecon -d <DOMAIN> -t any -n <DNS_SERVER_IP>Subdomain Brute-Forcing
Subdomain brute-forcing is an effective technique to uncover hidden services or subdomains associated with a target domain.
Dnsenum:
dnsenum --dnsserver <DNS_SERVER_IP> -f subdomains.txt <DOMAIN>Dnscan:
dnscan -d <DOMAIN> -w subdomains.txt -rDnsrecon:
dnsrecon -D subdomains.txt -d <DOMAIN> -n <DNS_SERVER_IP>Reverse DNS Enumeration
Reverse DNS lookups allow attackers to map IP ranges to associated domain names, potentially exposing internal or less public-facing resources.
Dnsrecon:
dnsrecon -r <IP_RANGE> -n <DNS_SERVER_IP>Reverse-Scan: Use reverse-scan for efficient reverse DNS enumeration.
reverse-scan -i <IP_RANGE> -d <DNS_SERVER_IP>Dig:
dig -x <IP_ADDRESS> @<DNS_SERVER_IP>DNSSEC Vulnerability Scanning
DNSSEC is designed to provide an additional layer of security, but vulnerabilities can still exist in misconfigured setups. You can exploit DNSSEC records for potential DDoS or data exfiltration attacks.
Nmap:
nmap -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=<DOMAIN> <DNS_SERVER_IP>Dig (manual DNSSEC check):
dig DNSKEY <DOMAIN> @<DNS_SERVER_IP>DNS Recursion Testing
DNS recursion allows DNS servers to query other DNS servers on behalf of a client. If improperly configured, this can be exploited for DNS amplification attacks.
Dig:
dig google.com A @<DNS_SERVER_IP>Nmap:
nmap --script dns-recursion <DNS_SERVER_IP>Nslookup:
nslookup
> SERVER <DNS_SERVER_IP>
> google.comMail Server Enumeration via DNS
Misconfigured DNS records often leak internal infrastructure information. By querying for mail exchange (MX) or service (SRV) records, you can learn about target email servers.
Dig:
dig MX <DOMAIN> @<DNS_SERVER_IP>
dig SRV _ldap._tcp.<DOMAIN> @<DNS_SERVER_IP>Nslookup:
nslookup
> server <DNS_SERVER_IP>
> set type=MX
> <DOMAIN>Nmap:
nmap --script dns-srv-enum --script-args dns-srv-enum.domain=<DOMAIN> <DNS_SERVER_IP>Active Directory DNS Service Enumeration
Enumerate DNS services related to Active Directory for additional attack vectors.
Service Enumeration: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog.
bashCopy code# Dig for AD services
dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com
# Nslookup AD services
nslookup
> set type=srv
> _kerberos._tcp.<DOMAIN>IPv6 DNS Bruteforce
Dnsdict6:
dnsdict6 -t <DOMAIN>Dnsrevenum6:
dnsrevenum6 <DNS_SERVER_IP> <IPV6_RANGE>Last updated
Was this helpful?