The first question you might have when discussing DNS enumeration is; “What exactly is a DNS server, and why are we trying to enumerate information from this server?”
DNS Servers
DNS servers resolve domain names and hostnames to the respective IP addresses. They are like the soul of the internet, directing a domain name to the specific web server. For example, when you type on your web browser google.com, that query is first sent to a DNS server which resolves google.com to its IP address. A request is then made to that IP address, and the web page is loaded on your browser.
DNS Enumeration
Unfortunately, DNS is one of the most exploited protocols. DNS enumeration or DNS interrogation is the process and technique of acquiring information from DNS servers. This information includes computer names, mail servers, IP addresses, associated nameservers, and other DNS records.
Common Types of DNS Records?
- A record: Holds the IP address associated with the domain in question.
- CNAME record: Maps one domain to another. The most popular is mapping www.your_domain.com to your_domain.com.
- MX record: Specifies the servers that handle emails from a particular domain.
- TXT record: Enables an admin to store text notes on the server.
- NS record: This record specifies the authoritative nameserver for your DNS zone.
- SOA record: Known as the “Start of Authority” record. It stores all critical information about a domain. That includes admin email, domain last update, etc.
- SRV record: This record specifies servers running particular services.
- PTR record: Also known as pointer records. It is used in reverse DNS lookups.
Tools for DNS Enumeration
There are several tools that you can use for DNS enumerations. Luckily most of these tools come pre-installed on security-focused distributions like Kali Linux or Parrot. This post will look at five tools you can use for DNS enumeration.
- NMAP
- DNSEnum
- DNSRecon
- Host Command
- NsLookup
Let’s get started.
1. NMAP
NMAP is a security tool mainly used for Network scanning and Port discovery. It also comes with various scripts that you can use to carry out penetration testing on multiple services. For example, the below command will list all the NMAP scripts for DNS enumeration.
ls -al /usr/share/Nmap/scripts/ | grep -e "dns-"
We will not look at all the scripts but two that this post found most reliable for enumerating DNS servers.
- broadcast-dns-service-discovery
- Dns-brute
1.1 Broadcast-dns-service-discovery Script
This script reveals the services using the DNS Discovery Protocol on the web server. The script sends multiple multicast DNS-SD queries and collects all the responses given by the server. However, all that is done procedurally.
The scripts first sends the for _services._dns-sd._udp.local
query that lists all the running services. Once done, it sends another query to each listed service and collects this information.
Below is an example command using the Nmap broadcast-dns-service-discovery
script to perform DNS enumeration.
nmap --script=broadcast-dns-service-discovery [target-domain], e.g. nmap --script=broadcast-dns-service-discovery example.com
1.2 Dns-brute Nmap Script
As the name suggests, this script performs a brute-force on the server to try and get all the hostnames. This script is quite efficient for DNS enumerations as it also takes multiple arguments, as listed below.
- Dns-brute.domain: Allows you to set the domain name to brute-force if no host is specified.
- Dns-brute.hostlist: Pass a list of host strings.
- Dns-brute.srv: Lookup for SRV records.
- Dns-brute.srvlist: Pass a list of SRV records.
- Dns-brute.threads: Specify the number of threads to use for enumeration.
This post will not pass any arguments and will use the dns-brute script alone. See the command below.
nmap -T4 -p 53 --script dns-brute [target-domain] e.g. nmap -T4 -p 53 --script dns-brute example.com
The image above shows you all the hostnames we were able to enumerate.
2. DNSEnum
DNSEnum is a powerful Perl script that performs DNS enumerations on domain names. Some of the tasks that you can accomplish with this tool include:
- Enumerate hostnames
- Enumerate “A” records
- Enumerate MX records
- Make AXFR queries
- Bruteforce subdomains
- Reverse lookups.
The DNSEnum command below performs a DNS enumeration but avoid reverse lookups since we passed the --noreverse argument. The output is stored in an XML file.
dnsenum --noreverse -o mydomain.xml [target-domain] E.g dnsenum --noreverse -o mydomain.xml youtube.com
This tool is quite reliable. From the image above, you can see that we were able to enumerate hostnames, nameservers, mail servers, CNAME records, etc.
To see all the options available in this script, execute the command below.
dnsenum -help
3. DNSRecon
DNSRecon is another powerful utility used to perform DNS enumeration. This tool is pre-installed on penetration testing distributions like Kali Linux or Parrot. To list all the available options for DNSRecon, execute the command below.
dnsrecon -help
Let’s carry out a simple DNS enumeration using the DNSRecon tool. Execute the command below.
dnsrecon -d [target-domain] e.g. dnsrecon -d youtube.com
4. Host Command
The host command is widely used to determine the IP address of a domain name. For example, the command below shows the IP address of Youtube.
host youtube.com
The host command takes the -t argument that allows you to specify what information you want to get from the domain name. For example, to enumerate nameservers, you will run the command below.
host -t ns youtube.com
Use the -t mx
argument to enumerate MX records as shown below.
2. NsLookup
NsLookup is another tool you can use for DNS enumeration and comes pre-installed on Kali Linux. Execute the nslookup command on your terminal without passing any arguments, as shown below.
nslookup
That will open an interactive shell where you can execute commands using NsLookup. To enumerate for nameservers, type the following commands and hit enter.
set type=ns [target-domain]
To enumerate MX records, set the type to “mx”, as shown in the image below.
To close the interactive shell, type exit
and hit enter.
Wrapping Up
This post has given you five methods that you can use to perform DNS enumeration on a host or domain. Although DNS information alone is not enough to launch a cyber attack, this information can be used by Attackers to estimate how large an organization is, the number of sub-domains might also increase the attack surface and much more. Do you have any questions or comments regarding this post? Feel free to let us know in the comments below.
Related Keywords: dns enumeration, dnsenum windows, dns reconnaissance, dns recon, pentest dns, dns lookup kali