DNS (Domain Name Systems) Service Enumeration

DNS (Domain Name Systems)

At a Glance

Default Port: 53

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, and other resources connected to a network. It associates different information with domain names assigned to each of the participating entities. Most prominently, it translates more easily memorized domain names to the numerical IP addresses needed for identifying computer services and devices with the underlying network protocols. 1

TCP and UDP

By default, DNS uses UDP on port 53 to serve requests. When the size of the request, or the response, exceeds the single packet size of 512 bytes, the query is re-sent using TCP. Multiple records responses, IPv6 responses, big TXT records, DNSSEC responses, and zone transfers are some examples of these requests.

Note: When DNS is running on TCP, it is worth checking if zone trasfer is enabled.

DNS does not provide an information banner per se but BIND DNS exposes its version by default. 2

Note: The version.bind directive is stored under the options section in the /etc/named.conf configuration file.

dig

dig version.bind CHAOS TXT @10.0.0.3

dns-nsid NSE Script

nmap -sV --script dns-nsid -p53 -Pn 10.0.0.3

Refer to Exploits Search

Zone Transfer

DNS reconnaissance is especially valuable during the information gathering stage since it could reveal crucial information about the domain and the infrastructure. But it can also reveal new attack vectors, for example, if Virtual Routing is enabled.

A zone transfer is the process where a DNS server, usually a Master server, passes a copy of a zone to another DNS server, usually a Slave server. Ideally, these transfers are limited to certain IPs, but misconfigured servers allow these transfers to anyone asking for them.

dig

dig axfr @10.0.0.3 domain
Parameters
  • axfr: initiate an AXFR zone transfer query.
  • @10.0.0.3: name or IP of the server to query.
  • domain: name of the resource record that is to be looked up.

Note: It is worth trying to initiate a zone transfer without a domain.

Configuration files

Examine configuration files.3

host.conf
resolv.conf
named.conf

Further Reading


  1. Contributors to Wikimedia projects. “Domain Name System - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 20 Aug. 2001, https://en.wikipedia.org/wiki/Domain_Name_System. ↩︎

  2. “Determining BIND DNS Version Using Dig.” OSI Security - Penetration Testing & Web Application Security Consultants, https://www.osi.security/blog/determining-bind-dns-version-using-dig. ↩︎

  3. “Penetration Testing Methodology” 0DAYsecurity.Com, http://www.0daysecurity.com/penetration-testing/enumeration.html. ↩︎