DNS
Introduction
DNS Typically runs on port 53 UDP but it can also run on TCP DNS translates domain names to IP addresses Useful resources:
DNS Records
| DNS Record | Description |
|---|---|
A | Returns an IPv4 address of the requested domain as a result. |
AAAA | Returns an IPv6 address of the requested domain. |
MX | Returns the responsible mail servers as a result. |
NS | Returns the DNS servers (nameservers) of the domain. |
TXT | This record can contain various information. For example, it can be used to validate the Google Search Console or validate SSL certificates. |
CNAME | This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other. |
PTR | The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names. |
SOA | Provides information about the corresponding DNS zone and email address of the administrative contact. |
Basic Interaction
| Command | Description |
|---|---|
dig ns <domain.tld> @dns-ip | NS request to the specific nameserver. |
dig any <domain.tld> @dns-ip | ANY request to the specific nameserver. |
dig axfr <domain.tld> @dns-ip | AXFR (ZONE TRANSFER) request to the specific nameserver. |
fierce --domain zonetransfer.me | Use fierce to scan for Zone Transfers |
Sub-Domain Enumeration:
There are different tools to perform subdomain enumeration:
./subfinder -d test.com -vsublist3r.py -d test.com./subbrute test.com -s ./names.txt -r ./resolvers.txt
Subdomain Fuzzing:
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.server.com/gobuster dns -d example.com -w wordlists.txt
VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs <num>gobuster vhost --url test.example --wordlist /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
Subdomain Bruteforcing:
Last updated