What is DNS Reconnaissance?
DNS reconnaissance is a technique to gather information about DNS (Domain Name System) data. This process helps in identifying the network infrastructure and security posture of a target domain by uncovering details like associated subdomains, IP addresses, mail servers, and DNS records. Effective DNS reconnaissance can reveal potential vulnerabilities and configurations, aiding in penetration testing, security assessments, and network troubleshooting.
DNS Recon can be either passive or active which can depend on the fact that whether you are accessing your target’s systems directly (active) or not.
Let’s start by talking about IP ranges. There are five regional Internet registries (RIRs) that handle allocation of IP addresses across the Internet:
- AFRINIC (Africa): http://www.afrinic.net
- APNIC (Asia‐Pacific): http://www.apnic.net
- ARIN (North America, parts of the Caribbean, and North Atlantic islands): http://ws.arin.net
- LACNIC (Latin America and the Caribbean): http://www.lacnic.net
- RIPE (Europe, Russia, the Middle East, and parts of central Asia): http://www.ripe.net
The idea is to prevent two parties from being assigned the same range of addresses for use. These registries contain information about what organization owns a particular range of IP addresses and sometimes information about technical and administrative contacts.
1. Using WHOIS Queries
Whois is one such useful tool which can help you search for a point of contact (POC), network or ASN, or organization or customer name.
This information is tied to domain name registration entries as well via the WHOIS service.
Let's try to get more details on comptia.org
by selecting POC and checking Domain to search based on domain registration records. This returns names for people who are responsible for the domain according to the RIR.
For each name returned, you can click to get more details, including mailing addresses, e-mail addresses, phone numbers, and even related organizations. You could then use this to search social media or other open-source information for social engineering.
You could validate ownership of an IP in your scope list by searching ARIN for the specific IP address as well. Enter the IP address in the search dialog at the top right of the page, and you will get the network range to which that IP belongs, as well as the ownership records. This can be useful in identifying cloud and third-party hosted assets.
You can also use whois CLI tool which can also provide useful information that can help identify domain creation date, when it was last updated, associate a company and business location for the domain, DNSSEC information, and in some cases, contact information of the registrar.
└─# whois comptia.org Domain Name: comptia.org Registry Domain ID: 448a24537680482e820cc725811c3ed1-LROR Registrar WHOIS Server: http://whois.godaddy.com Registrar URL: http://www.whois.godaddy.com Updated Date: 2023-07-22T05:02:42Z Creation Date: 1995-08-15T04:00:00Z Registry Expiry Date: 2032-08-14T04:00:00Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com ...
Once you know the IP address that a system is using, you can look up information about the IP range it resides in. That can provide information about the company or about the hosting services it uses.
You can do this at sites like https://www.whois.com/whois/. If you check the final IP address 52.41.111.100, you can see that it is owned by Amazon.
2. Using nslookup
nslookup
is a network administration command-line tool used for querying Domain Name System (DNS) servers to obtain domain name or IP address mapping information. For DNS reconnaissance, nslookup
can help identify DNS records associated with a domain, revealing subdomains, mail servers, and name servers.
You can perform a basic DNS lookup without using any arguments:
# nslookup comptia.org
To find the domain name associated with an IP address:
nslookup <IP Address>
To query a specific DNS server for information about a domain:
nslookup example.com 8.8.8.8
To find mail servers for a domain:
nslookup -type=mx <domain>
To query nameserver of a domain:
nslookup -query=ns <domain>
3. Zone Transfers
A DNS zone transfer (AXFR) is a transaction that is intended to be used to replicate DNS databases between DNS servers. Of course, this means that the information contained in a zone transfer can provide a wealth of information to a penetration tester and that most DNS servers will have zone transfers disabled or well protected.
A zone transfer will show you quite a bit of data, including the name server, primary contact, serial number, time between changes, the minimum time to live for the domain, MX records, latitude and longitude, and other TXT records, which can show a variety of useful information.
Some of the commands which you can use to conduct such test:
# Using host command host -t axfr domain.name dns-server # Using dig command dig axfr @target.nameserver.com domain.name
I will use zonetransfer.me
domain with dig command to get the nameserver details:
└─# dig -t ns zonetransfer.me ; <<>> DiG 9.19.19-1-Debian <<>> -t ns zonetransfer.me ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49909 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;zonetransfer.me. IN NS ;; ANSWER SECTION: zonetransfer.me. 600 IN NS nsztm2.digi.ninja. zonetransfer.me. 600 IN NS nsztm1.digi.ninja. ;; ADDITIONAL SECTION: nsztm2.digi.ninja. 600 IN A 34.225.33.2 ;; Query time: 964 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP) ;; WHEN: Wed Mar 27 12:37:12 EDT 2024 ;; MSG SIZE rcvd: 112
Now that we have the NS details, we will use that for full zone transfer:
└─# dig axfr zonetransfer.me @nsztm1.digi.ninja ; <<>> DiG 9.19.19-1-Debian <<>> axfr zonetransfer.me @nsztm1.digi.ninja ;; global options: +cmd zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600 zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP" zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM. zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM. zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM. zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN A 5.196.105.14 zonetransfer.me. 7200 IN NS nsztm1.digi.ninja. zonetransfer.me. 7200 IN NS nsztm2.digi.ninja. ...
Here we get a huge dump of data which gives us a lot of information about the domain. you can study more at https://digi.ninja/projects/zonetransferme.php