3 Methods to Perform DNS Reconnaissance

CompTIA PenTest PT0-002

What is DNS Reconnaissance?

DNS reconnaissance is a technique to gather information about DNS (Domain Name System) data. This process helps in identifying the network infrastructure and security posture of a target domain by uncovering details like associated subdomains, IP addresses, mail servers, and DNS records. Effective DNS reconnaissance can reveal potential vulnerabilities and configurations, aiding in penetration testing, security assessments, and network troubleshooting.

DNS Recon can be either passive or active which can depend on the fact that whether you are accessing your target’s systems directly (active) or not.

Let’s start by talking about IP ranges. There are five regional Internet registries (RIRs) that handle allocation of IP addresses across the Internet:

The idea is to prevent two parties from being assigned the same range of addresses for use. These registries contain information about what organization owns a particular range of IP addresses and sometimes information about technical and administrative contacts.


1. Using WHOIS Queries

Whois is one such useful tool which can help you search for a point of contact (POC), network or ASN, or organization or customer name.

3 Methods to Perform DNS Reconnaissance

This information is tied to domain name registration entries as well via the WHOIS service.

Let's try to get more details on comptia.org by selecting POC and checking Domain to search based on domain registration records. This returns names for people who are responsible for the domain according to the RIR.

3 Methods to Perform DNS Reconnaissance

For each name returned, you can click to get more details, including mailing addresses, e-mail addresses, phone numbers, and even related organizations. You could then use this to search social media or other open-source information for social engineering.

3 Methods to Perform DNS Reconnaissance

You could validate ownership of an IP in your scope list by searching ARIN for the specific IP address as well. Enter the IP address in the search dialog at the top right of the page, and you will get the network range to which that IP belongs, as well as the ownership records. This can be useful in identifying cloud and third-party hosted assets.

You can also use whois CLI tool which can also provide useful information that can help identify domain creation date, when it was last updated, associate a company and business location for the domain, DNSSEC information, and in some cases, contact information of the registrar.

└─# whois comptia.org
Domain Name: comptia.org
Registry Domain ID: 448a24537680482e820cc725811c3ed1-LROR
Registrar WHOIS Server: http://whois.godaddy.com
Registrar URL: http://www.whois.godaddy.com
Updated Date: 2023-07-22T05:02:42Z
Creation Date: 1995-08-15T04:00:00Z
Registry Expiry Date: 2032-08-14T04:00:00Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com

Once you know the IP address that a system is using, you can look up information about the IP range it resides in. That can provide information about the company or about the hosting services it uses.

You can do this at sites like https://www.whois.com/whois/. If you check the final IP address, you can see that it is owned by Amazon.

3 Methods to Perform DNS Reconnaissance


2. Using nslookup

nslookup is a network administration command-line tool used for querying Domain Name System (DNS) servers to obtain domain name or IP address mapping information. For DNS reconnaissance, nslookup can help identify DNS records associated with a domain, revealing subdomains, mail servers, and name servers.

You can perform a basic DNS lookup without using any arguments:

# nslookup comptia.org                   

3 Methods to Perform DNS Reconnaissance

To find the domain name associated with an IP address:

nslookup <IP Address>

To query a specific DNS server for information about a domain:

nslookup example.com

To find mail servers for a domain:

nslookup -type=mx <domain>
3 Methods to Perform DNS Reconnaissance

To query nameserver of a domain:

nslookup -query=ns  <domain>
3 Methods to Perform DNS Reconnaissance


3. Zone Transfers

A DNS zone transfer (AXFR) is a transaction that is intended to be used to replicate DNS databases between DNS servers. Of course, this means that the information contained in a zone transfer can provide a wealth of information to a penetration tester and that most DNS servers will have zone transfers disabled or well protected. 

A zone transfer will show you quite a bit of data, including the name server, primary contact, serial number, time between changes, the minimum time to live for the domain, MX records, latitude and longitude, and other TXT records, which can show a variety of useful information.

Some of the commands which you can use to conduct such test:

# Using host command
host -t axfr domain.name dns-server

# Using dig command
dig axfr @target.nameserver.com domain.name 

I will use zonetransfer.me domain with dig command to get the nameserver details:

└─# dig -t ns zonetransfer.me                  

; <<>> DiG 9.19.19-1-Debian <<>> -t ns zonetransfer.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49909
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

; EDNS: version: 0, flags:; udp: 512
;zonetransfer.me.		IN	NS

zonetransfer.me.	600	IN	NS	nsztm2.digi.ninja.
zonetransfer.me.	600	IN	NS	nsztm1.digi.ninja.

nsztm2.digi.ninja.	600	IN	A

;; Query time: 964 msec
;; WHEN: Wed Mar 27 12:37:12 EDT 2024
;; MSG SIZE  rcvd: 112

Now that we have the NS details, we will use that for full zone transfer:

└─# dig axfr zonetransfer.me @nsztm1.digi.ninja    

; <<>> DiG 9.19.19-1-Debian <<>> axfr zonetransfer.me @nsztm1.digi.ninja
;; global options: +cmd
zonetransfer.me.	7200	IN	SOA	nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me.	300	IN	HINFO	"Casio fx-700G" "Windows XP"
zonetransfer.me.	301	IN	TXT	"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me.	7200	IN	MX	0 ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	MX	20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me.	7200	IN	A
zonetransfer.me.	7200	IN	NS	nsztm1.digi.ninja.
zonetransfer.me.	7200	IN	NS	nsztm2.digi.ninja.

Here we get a huge dump of data which gives us a lot of information about the domain. you can study more at https://digi.ninja/projects/zonetransferme.php


Views: 111
Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment