DNS - Port 53
Last updated
Was this helpful?
Last updated
Was this helpful?
DNS (Domain Name System) is a critical protocol that acts as the internet's directory. It translates human-readable domain names like example.com into IP addresses, allowing browsers to connect to web services. Due to its essential role in internet functionality, DNS servers are common attack targets.
Default port: 53
DNS Root Servers: The highest level in the DNS hierarchy, maintaining top-level domain information.
Authoritative Nameservers: Provide definitive answers about domain zones they manage.
Caching DNS Servers: Temporarily store DNS query results to improve performance.
Forwarding Servers: Forward DNS queries to another server for resolution.
Dangerous settings when configuring a Bind server:
Option
Description
allow-query
Defines which hosts are allowed to send requests to the DNS server.
allow-recursion
Defines which hosts are allowed to send recursive requests to the DNS server.
allow-transfer
Defines which hosts are allowed to receive zone transfers from the DNS server.
zone-statistics
Collects statistical data of zones.
Banner Grabbing: Identify DNS version and services running on port 53. Banner Grabbing
Zone Transfer (AXFR): If DNS misconfigurations allow zone transfers, attackers can obtain sensitive domain records. Zone Transfer
Bruteforce Subdomains: Use wordlists to identify valid subdomains via DNS queries. Subdomain Brute-Forcing
Reverse DNS Lookup: Query PTR records to map IP addresses back to domain names. Reverse DNS Enumeration
ANY Query: Query the DNS server for all available records it is willing to disclose. ANY Query Enumeration
DNSSEC Enumeration: Identify DNSSEC configurations and attempt exploitation or abuse. DNSSEC Vulnerability Scanning
DNS Recursion Check: If recursion is enabled, the server may allow amplification attacks. DNS Recursion Testing
Service Enumeration: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog. Active Directory DNS Service Enumeration
IPv6 DNS Bruteforce: Target AAAA records to uncover subdomains with IPv6 addresses. IPv6 DNS Bruteforce
Mail Nondelivery Exploitation: Use misconfigured DNS for email servers to gather internal network information. Mail Server Enumeration via DNS
Banner grabbing for DNS may involve querying for version information or other metadata that a DNS server discloses. A classic way to gather this is by querying the version.bind using DNS CHAOS requests or nmap scripts.
Dig:
Nmap:
fpdns:
DNS zone transfer (AXFR) can leak entire domain zone information, including subdomains, services, and IP addresses. It's often a result of misconfigured DNS servers.
Dig:
Fierce:
Dnsrecon:
Using an ANY query, testers can attempt to retrieve all records a DNS server is willing to share.
Dig:
Dnsenum:
Dnsrecon:
Subdomain brute-forcing is an effective technique to uncover hidden services or subdomains associated with a target domain.
Dnsenum:
Dnscan:
Dnsrecon:
Reverse DNS lookups allow attackers to map IP ranges to associated domain names, potentially exposing internal or less public-facing resources.
Dnsrecon:
Reverse-Scan: Use reverse-scan for efficient reverse DNS enumeration.
Dig:
DNSSEC is designed to provide an additional layer of security, but vulnerabilities can still exist in misconfigured setups. You can exploit DNSSEC records for potential DDoS or data exfiltration attacks.
Nmap:
Dig (manual DNSSEC check):
DNS recursion allows DNS servers to query other DNS servers on behalf of a client. If improperly configured, this can be exploited for DNS amplification attacks.
Dig:
Nmap:
Nslookup:
Misconfigured DNS records often leak internal infrastructure information. By querying for mail exchange (MX) or service (SRV) records, you can learn about target email servers.
Dig:
Nslookup:
Nmap:
Enumerate DNS services related to Active Directory for additional attack vectors.
Service Enumeration: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog.
Dnsdict6:
Dnsrevenum6: