Blog
Page cover image

DNS | 53

                 +-----------+
                 |     .     |  ←----------------------|## Root Level [ . ] 
                 +-----------+
                       |
    +------------+------------+------------+
    |            |            |            | 
 +-------+   +-------+     +------+     +------+
 |  com. |   |  org. |     | net. |     |  lk. |  ←----|## TLDs [Top-Level Domains]
 +-------+   +-------+     +------+     +------+
     |                                      
 +------------------+
 |   h4rithd.com.   |  ←-------------------------------|## Second-Level Domain [SLD]
 +------------------+
          |
 +-------------------+
 | docs.h4rithd.com. |  ←------------------------------|## Subdomain [Third-Level]
 +-------------------+
          |
+---------------------------+
| staging.docs.h4rithd.com. |  ←-----------------------|## Hosts
+---------------------------+
                                               FQDN: docs.h4rithd.com
                                                     β””β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”˜ β””β”€β”˜
                                                  Subdomain SLD   TLD

### ROOT  β†’  The invisible Root of the domain hierarchy. (managed by ICANN)
### TLDs  β†’  Top-Level Domains. Commercial domain space (like .com, .org)
### SLDs  β†’  Second-Level Domains (your main domain name)
### Subs  β†’  Subdomains. Used to separate services like docs, blog, etc
### FQDN  β†’  The full Fully Qualified Domain Name
Type
Name
Description

A

Address Record

Maps a domain to an IPv4 address.

AAAA

IPv6 Address Record

Maps a domain to an IPv6 address.

CNAME

Canonical Name Record

Alias of one domain to another.

MX

Mail Exchange Record

Routes email to the correct mail server.

NS

Name Server Record

Specifies authoritative name servers.

TXT

Text Record

Arbitrary text, often used for SPF, DKIM, verification.

SOA

Start of Authority

Provides zone info: primary NS, contact, serial

PTR

Pointer Record

Used for reverse DNS lookups (IP β†’ domain).

SRV

Service Locator

Defines location of services (used in VoIP, AD, etc.).

SPF

Sender Policy Framework

Helps fight spam by specifying allowed mail servers

CAA

Certification Authority Auth

Specifies which CAs can issue certs for the domain.

NAPTR

Naming Authority Pointer

Used for dynamic DNS, SIP, ENUM services.

RP

Responsible Person

Email address of the domain admin.

AFSDB

Andrew File System DB

Used for locating AFS or DCE services.

HINFO

Host Info Record

Specifies hardware & OS of a host (rarely used).

ISDN

ISDN Address Record

Maps domain to an ISDN number (obsolete).

KEY

Public Key Record

Used in DNSSEC (obsolete, replaced by DNSKEY).

DNSKEY

DNSSEC Public Key

Holds a public key for DNSSEC validation.

RRSIG

Resource Record Signature

Contains digital signature for DNSSEC data.

NSEC

Next Secure Record

Part of DNSSEC, lists next valid record.

NSEC3

Next Secure Record v3

Secure denial of existence (hash-based).

DS

Delegation Signer

Indicates that child zone is secured with DNSSEC.

LOC

Location Record

Specifies geographic location (lat/lon/altitude).

DNAME

Delegation Name Record

Like CNAME but for an entire subtree.

TLSA

TLS Authentication Record

Used in DANE to specify TLS certs.

SSHFP

SSH Public Key Fingerprint

Stores SSH key fingerprints for trust.

SVCB

Service Binding Record

New alternative to SRV for HTTPS/SVC discovery.

HTTPS

HTTPS Service Record

A variant of SVCB optimized for HTTPS.

URI

Uniform Resource Identifier

Maps domain to a URI.

MB

Mailbox Domain Name

Maps domain to a mailbox host (obsolete).

MG

Mail Group Member

Identifies members of a mail group (obsolete).

MR

Mail Rename Domain

Renames a mailbox (obsolete).

MINFO

Mailbox Info

Info about mailbox or mail list (obsolete).

WKS

Well-Known Service

Maps service name to IP/port (obsolete).

X25

X.25 Address Record

Maps to X.25 network address (obsolete).

#### /etc/resolv.conf
## ------------------| DNS Information Gathering  
dig h4rithd.com Β                     ### Queries A records from the default DNS server 
dig SOA h4rithd.com Β                 ### Gets Start of Authority record. A dot(.) becomes @ in email format (info.h4rithd.com. β†’ [email protected])
dig h4rithd.com ANY Β                 ### Queries all available DNS records   
dig h4rithd.com MX @$IP              ### Get mail server information  
dig h4rithd.com NS @$IP              ### Find name servers for the domain 
dig h4rithd.com ANY @$IP             ### Perform ANY query to get all available DNS records  
dig h4rithd.com TXT @$IP             ### Retrieve TXT records (SPF, DKIM, verification) 
dnsrecon -d h4rithd.com              ### Standard enumeration (A, MX, NS, SOA, TXT records)
dnsrecon -d h4rithd.com -t std       ### Same as above (explicit standard scan)
nslookup -query=ANY h4rithd.com $IP  ### Alternative method for all records
nmap -sU -p 53 --script dns-nsid $IP ### Get DNS server details (NSID)
nmap -sU -p 53 --script dns-recursion $IP    ### Check for recursive queries
nmap -sU -p 53 --script dns-cache-snoop $IP  ### Snoop DNS cache (may be blocked)
nmap -sU -p 53 --script "dns-*" --script-args dns-brute.domain=h4rithd.com $IP    ### Comprehensive Scan

## ------------------| Reverse DNS Lookup
host $IP                             ### Simplest reverse lookup (PTR record query)
nslookup $IP                         ### Interactive reverse DNS query
dig -x $IP @$IP                      ### Detailed reverse lookup using Google's DNS
nmap -R -sL 192.168.1.1-254          ### Force reverse DNS resolution
whois $IP | grep "Reverse DNS"       ### Check reverse DNS via WHOIS
dnsenum --reverse 192.168.1.0/24     ### Reverse lookup with DNSenum
dnsrecon -r 192.168.1.0/24 -n $IP    ### Reverse lookup for IP range
dnsrecon -r 192.168.1.1-192.168.1.254 -n $IP ### Specific IP range reverse lookup

## ------------------| Bulk Reverse Lookup (IP Range)
for ip in $(seq 1 254); do host 192.168.1.$ip; done | grep -v "not found"   ### Scan a /24 subnet for PTR records
dnsrecon -r 192.168.1.0/24 -n $IP    ### Automated reverse lookup for entire subnet (-r = range, -n = nameserver)

## ------------------| Using Metasploit for Reverse Lookup
msfconsole
use auxiliary/gather/dns_reverse_lookup
set RHOSTS 192.168.1.0/24
run

## ------------------| Zone Transfer Attempt
dig axfr @$IP                           ### Tests if nameserver allows anonymous zone transfers
dig axfr @$IP +tcp                      ### Use TCP instead of UDP (better for large transfers)
dig axfr h4rithd.com @$IP               ### Tests zone transfer for specific domain
dig axfr @h4rithd.com h4rithd.com       ### Test against specific nameserver 
dig axfr @$IP h4rithd.com +nocookie     ### Bypass DNS cookie protection 
dig axfr h4rithd.com @ns1.h4rithd.com   ### Manual zone transfer attempt
host -T -l h4rithd.com ns1.h4rithd.com  ### Alternative zone transfer method
dnsrecon -d h4rithd.com -t axfr         ### Test for zone transfer vulnerabilities
dnsrecon -d h4rithd.com -n ns1.h4rithd.com -t axfr     ### Test against specific nameserver
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=h4rithd.com $IP 

## ------------------| Brute-force Subdomains
dnsenum h4rithd.com                        ### Comprehensive DNS enumeration  
dnsrecon -r $IP/24 -d h4rithd.com -t brt   ### Brute-force hostnames for an IP range
dnsmap h4rithd.com -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt ### Subdomain brute-forcing  
dnsrecon -d h4rithd.com -D /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -t brt ### Brute-force subdomains  
gobuster dns -d h4rithd.com -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -t 50 ### Fast threaded brute-force  
dnsrecon -d h4rithd.com -D /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -t brt -c results.csv ### Save to CSV
dnsenum --dnsserver $IP --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt h4rithd.com   
for sub in $(cat /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.<DOMAIN> @<IP> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done    

## ------------------| DNS Cache Snooping
dig @$IP h4rithd.com A +norecurse               ### Check if record exists in cache  
dnsrecon -d h4rithd.com -t snoop -n $IP         ### DNS cache snooping
dnschef --fakeip $IP --fakedomains h4rithd.com  ### Set up malicious DNS server  

## ------------------| DNSSEC Enumeration
ldns-walk h4rithd.com                  ### Walk through DNSSEC secured zone  
dnsrecon -d h4rithd.com -t std         ### Check for DNSSEC records  
dnsrecon -d h4rithd.com -t zonewalk    ### DNSSEC zone walking
nmap -sU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domain=h4rithd.com $IP

## ------------------| DNS Exploitation
dns-fuzz $IP                           ### Test for DNS tunneling vulnerabilities  
dnsspoof -i eth0 -f hosts.txt          ### Another DNS spoofing tool  
dns-spoof -i eth0 -f hosts.txt         ### Spoof DNS responses (requires root)
dnsrecon -d h4rithd.com -t tld         ### Check for TLD expansion vulnerabilities  

## ------------------| Passive DNS Enumeration
sublist3r -d h4rithd.com               ### Find subdomains using OSINT  
amass enum -passive -d h4rithd.com     ### Passive subdomain enumeration  

## ------------------| Google-Fu for DNS
dnsrecon -d h4rithd.com -t goo         ### Google enumeration (OSINT technique)

## ------------------| Comprehensive Scan
dnsrecon -d h4rithd.com -a -z -s -w -b -y -k -t std,axfr,brt -c full_report.json
### -a = AXFR
### -z = Zone walking
### -s = SRV records
### -w = WHOIS
### -b = Bing search
### -y = Yandex search
### -k - Keep alive
### -t = All test types
### -c = JSON output
### -x report.xml = XML output
### -c report.csv = CSV output
### -j report.json = JSON output

Last updated

Was this helpful?