# DNS | 53 ```bash +-----------+ | . | ←----------------------|## Root Level [ . ] +-----------+ | +------------+------------+------------+ | | | | +-------+ +-------+ +------+ +------+ | com. | | org. | | net. | | lk. | ←----|## TLDs [Top-Level Domains] +-------+ +-------+ +------+ +------+ | +------------------+ | h4rithd.com. | ←-------------------------------|## Second-Level Domain [SLD] +------------------+ | +-------------------+ | docs.h4rithd.com. | ←------------------------------|## Subdomain [Third-Level] +-------------------+ | +---------------------------+ | staging.docs.h4rithd.com. | ←-----------------------|## Hosts +---------------------------+ FQDN: docs.h4rithd.com └──┘ └─────┘ └─┘ Subdomain SLD TLD ### ROOT → The invisible Root of the domain hierarchy. (managed by ICANN) ### TLDs → Top-Level Domains. Commercial domain space (like .com, .org) ### SLDs → Second-Level Domains (your main domain name) ### Subs → Subdomains. Used to separate services like docs, blog, etc ### FQDN → The full Fully Qualified Domain Name ```

Type	Name	Description
A	Address Record	Maps a domain to an IPv4 address.
AAAA	IPv6 Address Record	Maps a domain to an IPv6 address.
CNAME	Canonical Name Record	Alias of one domain to another.
MX	Mail Exchange Record	Routes email to the correct mail server.
NS	Name Server Record	Specifies authoritative name servers.
TXT	Text Record	Arbitrary text, often used for SPF, DKIM, verification.
SOA	Start of Authority	Provides zone info: primary NS, contact, serial
PTR	Pointer Record	Used for reverse DNS lookups (IP → domain).
SRV	Service Locator	Defines location of services (used in VoIP, AD, etc.).
SPF	Sender Policy Framework	Helps fight spam by specifying allowed mail servers
CAA	Certification Authority Auth	Specifies which CAs can issue certs for the domain.
NAPTR	Naming Authority Pointer	Used for dynamic DNS, SIP, ENUM services.
RP	Responsible Person	Email address of the domain admin.
AFSDB	Andrew File System DB	Used for locating AFS or DCE services.
HINFO	Host Info Record	Specifies hardware & OS of a host (rarely used).
ISDN	ISDN Address Record	Maps domain to an ISDN number (obsolete).
KEY	Public Key Record	Used in DNSSEC (obsolete, replaced by DNSKEY).
DNSKEY	DNSSEC Public Key	Holds a public key for DNSSEC validation.
RRSIG	Resource Record Signature	Contains digital signature for DNSSEC data.
NSEC	Next Secure Record	Part of DNSSEC, lists next valid record.
NSEC3	Next Secure Record v3	Secure denial of existence (hash-based).
DS	Delegation Signer	Indicates that child zone is secured with DNSSEC.
LOC	Location Record	Specifies geographic location (lat/lon/altitude).
DNAME	Delegation Name Record	Like CNAME but for an entire subtree.
TLSA	TLS Authentication Record	Used in DANE to specify TLS certs.
SSHFP	SSH Public Key Fingerprint	Stores SSH key fingerprints for trust.
SVCB	Service Binding Record	New alternative to SRV for HTTPS/SVC discovery.
HTTPS	HTTPS Service Record	A variant of SVCB optimized for HTTPS.
URI	Uniform Resource Identifier	Maps domain to a URI.
MB	Mailbox Domain Name	Maps domain to a mailbox host (obsolete).
MG	Mail Group Member	Identifies members of a mail group (obsolete).
MR	Mail Rename Domain	Renames a mailbox (obsolete).
MINFO	Mailbox Info	Info about mailbox or mail list (obsolete).
WKS	Well-Known Service	Maps service name to IP/port (obsolete).
X25	X.25 Address Record	Maps to X.25 network address (obsolete).

```bash #### /etc/resolv.conf ## ------------------| DNS Information Gathering dig h4rithd.com ### Queries A records from the default DNS server dig SOA h4rithd.com ### Gets Start of Authority record. A dot(.) becomes @ in email format (info.h4rithd.com. → info@h4rithd.com) dig h4rithd.com ANY ### Queries all available DNS records dig h4rithd.com MX @$IP ### Get mail server information dig h4rithd.com NS @$IP ### Find name servers for the domain dig h4rithd.com ANY @$IP ### Perform ANY query to get all available DNS records dig h4rithd.com TXT @$IP ### Retrieve TXT records (SPF, DKIM, verification) dnsrecon -d h4rithd.com ### Standard enumeration (A, MX, NS, SOA, TXT records) dnsrecon -d h4rithd.com -t std ### Same as above (explicit standard scan) nslookup -query=ANY h4rithd.com $IP ### Alternative method for all records nmap -sU -p 53 --script dns-nsid $IP ### Get DNS server details (NSID) nmap -sU -p 53 --script dns-recursion $IP ### Check for recursive queries nmap -sU -p 53 --script dns-cache-snoop $IP ### Snoop DNS cache (may be blocked) nmap -sU -p 53 --script "dns-*" --script-args dns-brute.domain=h4rithd.com $IP ### Comprehensive Scan ## ------------------| Reverse DNS Lookup host $IP ### Simplest reverse lookup (PTR record query) nslookup $IP ### Interactive reverse DNS query dig -x $IP @$IP ### Detailed reverse lookup using Google's DNS nmap -R -sL 192.168.1.1-254 ### Force reverse DNS resolution whois $IP | grep "Reverse DNS" ### Check reverse DNS via WHOIS dnsenum --reverse 192.168.1.0/24 ### Reverse lookup with DNSenum dnsrecon -r 192.168.1.0/24 -n $IP ### Reverse lookup for IP range dnsrecon -r 192.168.1.1-192.168.1.254 -n $IP ### Specific IP range reverse lookup ## ------------------| Bulk Reverse Lookup (IP Range) for ip in $(seq 1 254); do host 192.168.1.$ip; done | grep -v "not found" ### Scan a /24 subnet for PTR records dnsrecon -r 192.168.1.0/24 -n $IP ### Automated reverse lookup for entire subnet (-r = range, -n = nameserver) ## ------------------| Using Metasploit for Reverse Lookup msfconsole use auxiliary/gather/dns_reverse_lookup set RHOSTS 192.168.1.0/24 run ## ------------------| Zone Transfer Attempt dig axfr @$IP ### Tests if nameserver allows anonymous zone transfers dig axfr @$IP +tcp ### Use TCP instead of UDP (better for large transfers) dig axfr h4rithd.com @$IP ### Tests zone transfer for specific domain dig axfr @h4rithd.com h4rithd.com ### Test against specific nameserver dig axfr @$IP h4rithd.com +nocookie ### Bypass DNS cookie protection dig axfr h4rithd.com @ns1.h4rithd.com ### Manual zone transfer attempt host -T -l h4rithd.com ns1.h4rithd.com ### Alternative zone transfer method dnsrecon -d h4rithd.com -t axfr ### Test for zone transfer vulnerabilities dnsrecon -d h4rithd.com -n ns1.h4rithd.com -t axfr ### Test against specific nameserver nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=h4rithd.com $IP ## ------------------| Brute-force Subdomains dnsenum h4rithd.com ### Comprehensive DNS enumeration dnsrecon -r $IP/24 -d h4rithd.com -t brt ### Brute-force hostnames for an IP range dnsmap h4rithd.com -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt ### Subdomain brute-forcing dnsrecon -d h4rithd.com -D /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -t brt ### Brute-force subdomains gobuster dns -d h4rithd.com -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -t 50 ### Fast threaded brute-force dnsrecon -d h4rithd.com -D /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -t brt -c results.csv ### Save to CSV dnsenum --dnsserver $IP --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt h4rithd.com for sub in $(cat /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub. @ | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done ## ------------------| DNS Cache Snooping dig @$IP h4rithd.com A +norecurse ### Check if record exists in cache dnsrecon -d h4rithd.com -t snoop -n $IP ### DNS cache snooping dnschef --fakeip $IP --fakedomains h4rithd.com ### Set up malicious DNS server ## ------------------| DNSSEC Enumeration ldns-walk h4rithd.com ### Walk through DNSSEC secured zone dnsrecon -d h4rithd.com -t std ### Check for DNSSEC records dnsrecon -d h4rithd.com -t zonewalk ### DNSSEC zone walking nmap -sU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domain=h4rithd.com $IP ## ------------------| DNS Exploitation dns-fuzz $IP ### Test for DNS tunneling vulnerabilities dnsspoof -i eth0 -f hosts.txt ### Another DNS spoofing tool dns-spoof -i eth0 -f hosts.txt ### Spoof DNS responses (requires root) dnsrecon -d h4rithd.com -t tld ### Check for TLD expansion vulnerabilities ## ------------------| Passive DNS Enumeration sublist3r -d h4rithd.com ### Find subdomains using OSINT amass enum -passive -d h4rithd.com ### Passive subdomain enumeration ## ------------------| Google-Fu for DNS dnsrecon -d h4rithd.com -t goo ### Google enumeration (OSINT technique) ## ------------------| Comprehensive Scan dnsrecon -d h4rithd.com -a -z -s -w -b -y -k -t std,axfr,brt -c full_report.json ### -a = AXFR ### -z = Zone walking ### -s = SRV records ### -w = WHOIS ### -b = Bing search ### -y = Yandex search ### -k - Keep alive ### -t = All test types ### -c = JSON output ### -x report.xml = XML output ### -c report.csv = CSV output ### -j report.json = JSON output ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/tcp/53-dns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.