# DNS - Port 53

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses.  📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**

</details>

## Basic info

DNS (Domain Name System) is a critical protocol that acts as the internet's directory. It translates human-readable domain names like `example.com` into IP addresses, allowing browsers to connect to web services. Due to its essential role in internet functionality, DNS servers are common attack targets.&#x20;

**Default port:** 53

```
PORT     STATE SERVICE  REASON
53/tcp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
5353/udp open  zeroconf udp-response
53/udp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
```

#### Key DNS Concepts

* **DNS Root Servers**: The highest level in the DNS hierarchy, maintaining top-level domain information.
* **Authoritative Nameservers**: Provide definitive answers about domain zones they manage.
* **Caching DNS Servers**: Temporarily store DNS query results to improve performance.
* **Forwarding Servers**: Forward DNS queries to another server for resolution.

***

### Config files <a href="#config-files" id="config-files"></a>

```
host.conf
/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*
```

Dangerous settings when configuring a Bind server:

| **Option**        | **Description**                                                                |
| ----------------- | ------------------------------------------------------------------------------ |
| `allow-query`     | Defines which hosts are allowed to send requests to the DNS server.            |
| `allow-recursion` | Defines which hosts are allowed to send recursive requests to the DNS server.  |
| `allow-transfer`  | Defines which hosts are allowed to receive zone transfers from the DNS server. |
| `zone-statistics` | Collects statistical data of zones.                                            |

***

## **Attack workflow**

#### **1. Reconnaissance and Enumeration**

* **Banner Grabbing**: Identify DNS version and services running on port 53. [#banner-grabbing](#banner-grabbing "mention")

#### **2. DNS Zone Transfer Attack**

* **Zone Transfer (AXFR)**: If DNS misconfigurations allow zone transfers, attackers can obtain sensitive domain records. [#zone-transfer](#zone-transfer "mention")

#### **3. DNS Subdomain Bruteforcing**

* **Bruteforce Subdomains**: Use wordlists to identify valid subdomains via DNS queries. [#subdomain-brute-forcing](#subdomain-brute-forcing "mention")

#### **4. Reverse DNS Lookup**

* **Reverse DNS Lookup**: Query PTR records to map IP addresses back to domain names. [#reverse-dns-enumeration](#reverse-dns-enumeration "mention")

#### **5. DNS ANY Query**

* **ANY Query**: Query the DNS server for all available records it is willing to disclose. [#any-query-enumeration](#any-query-enumeration "mention")

#### **6. DNSSEC Exploitation**

* **DNSSEC Enumeration**: Identify DNSSEC configurations and attempt exploitation or abuse. [#dnssec-vulnerability-scanning](#dnssec-vulnerability-scanning "mention")

#### **7. DNS Amplification Attack (DDoS Simulation)**

* **DNS Recursion Check**: If recursion is enabled, the server may allow amplification attacks. [#dns-recursion-testing](#dns-recursion-testing "mention")

#### **8. Active Directory DNS Service Enumeration**

* **Service Enumeration**: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog.  [#active-directory-dns-service-enumeration](#active-directory-dns-service-enumeration "mention")

#### **9. IPv6 DNS Bruteforcing**

* **IPv6 DNS Bruteforce**: Target AAAA records to uncover subdomains with IPv6 addresses. [#ipv6-dns-bruteforce](#ipv6-dns-bruteforce "mention")

#### **10. Exploit Misconfigured Mail Servers**

* **Mail Nondelivery Exploitation**: Use misconfigured DNS for email servers to gather internal network information. [#mail-server-enumeration-via-dns](#mail-server-enumeration-via-dns "mention")

***

## Penetration Testing Techniques for DNS

### **Banner Grabbing**

Banner grabbing for DNS may involve querying for version information or other metadata that a DNS server discloses. A classic way to gather this is by querying the `version.bind` using DNS CHAOS requests or nmap scripts.

**Dig**:

```bash
dig version.bind CHAOS TXT @<DNS_SERVER_IP>
```

**Nmap**:

```bash
nmap -sV --script dns-nsid <DNS_SERVER_IP>
```

**fpdns**:

```bash
fpdns <DNS_SERVER_IP>
```

### **Zone Transfer**

DNS zone transfer (AXFR) can leak entire domain zone information, including subdomains, services, and IP addresses. It's often a result of misconfigured DNS servers.

**Dig**:

```bash
dig axfr @<DNS_SERVER_IP> <DOMAIN>
```

**Fierce**:

```bash
fierce --domain <DOMAIN> --dns-servers <DNS_SERVER_IP>
```

**Dnsrecon**:

```bash
dnsrecon -t axfr -d <DOMAIN> -n <DNS_SERVER_IP>
```

### **ANY Query Enumeration**

Using an ANY query, testers can attempt to retrieve all records a DNS server is willing to share.

**Dig**:

```bash
dig ANY <DOMAIN> @<DNS_SERVER_IP>
```

**Dnsenum**:

```bash
dnsenum --dnsserver <DNS_SERVER_IP> --enum -p 0 -s 0 -o output.txt <DOMAIN>
```

**Dnsrecon**:

```bash
dnsrecon -d <DOMAIN> -t any -n <DNS_SERVER_IP>
```

### **Subdomain Brute-Forcing**

Subdomain brute-forcing is an effective technique to uncover hidden services or subdomains associated with a target domain.

**Dnsenum**:

```bash
dnsenum --dnsserver <DNS_SERVER_IP> -f subdomains.txt <DOMAIN>
```

**Dnscan**:

```bash
dnscan -d <DOMAIN> -w subdomains.txt -r
```

**Dnsrecon**:

```bash
dnsrecon -D subdomains.txt -d <DOMAIN> -n <DNS_SERVER_IP>
```

### **Reverse DNS Enumeration**

Reverse DNS lookups allow attackers to map IP ranges to associated domain names, potentially exposing internal or less public-facing resources.

**Dnsrecon**:

```bash
dnsrecon -r <IP_RANGE> -n <DNS_SERVER_IP>
```

**Reverse-Scan**: Use `reverse-scan` for efficient reverse DNS enumeration.

```bash
reverse-scan -i <IP_RANGE> -d <DNS_SERVER_IP>
```

**Dig**:

```bash
dig -x <IP_ADDRESS> @<DNS_SERVER_IP>
```

### **DNSSEC Vulnerability Scanning**

DNSSEC is designed to provide an additional layer of security, but vulnerabilities can still exist in misconfigured setups. You can exploit DNSSEC records for potential DDoS or data exfiltration attacks.

**Nmap**:

```bash
nmap -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=<DOMAIN> <DNS_SERVER_IP>
```

**Dig** (manual DNSSEC check):

```bash
dig DNSKEY <DOMAIN> @<DNS_SERVER_IP>
```

### **DNS Recursion Testing**

DNS recursion allows DNS servers to query other DNS servers on behalf of a client. If improperly configured, this can be exploited for DNS amplification attacks.

**Dig**:

```bash
dig google.com A @<DNS_SERVER_IP>
```

**Nmap**:

```bash
nmap --script dns-recursion <DNS_SERVER_IP>
```

**Nslookup**:

```bash
nslookup
> SERVER <DNS_SERVER_IP>
> google.com
```

### **Mail Server Enumeration via DNS**

Misconfigured DNS records often leak internal infrastructure information. By querying for mail exchange (MX) or service (SRV) records, you can learn about target email servers.

**Dig**:

```bash
dig MX <DOMAIN> @<DNS_SERVER_IP>
dig SRV _ldap._tcp.<DOMAIN> @<DNS_SERVER_IP>
```

**Nslookup**:

```bash
nslookup
> server <DNS_SERVER_IP>
> set type=MX
> <DOMAIN>
```

**Nmap**:

```bash
nmap --script dns-srv-enum --script-args dns-srv-enum.domain=<DOMAIN> <DNS_SERVER_IP>
```

### **Active Directory DNS Service Enumeration**

**Enumerate DNS services related to Active Directory for additional attack vectors.**

**Service Enumeration**: Query for Active Directory-related DNS services like LDAP, Kerberos, and Global Catalog.

```bash
bashCopy code# Dig for AD services
dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com

# Nslookup AD services
nslookup
> set type=srv
> _kerberos._tcp.<DOMAIN>
```

### **IPv6 DNS Bruteforce**

**Dnsdict6**:

```bash
dnsdict6 -t <DOMAIN>
```

**Dnsrevenum6**:

```bash
dnsrevenum6 <DNS_SERVER_IP> <IPV6_RANGE>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/dns-port-53.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.