DNS Enumeration and Tools


Finding every DNS server and the associated entries for an organisation is known as DNS enumeration. Both internal and external DNS servers that a business may have can provide data on possible target systems, including IP addresses, usernames, and machine names. Numerous tools are available for gathering data needed to carry out DNS enumeration.


DNS Zone Transfer

Moving a copy of the DNS zone file from the primary DNS server to the secondary DNS server is known as DNS zone transfer. For redundancy, the primary DNS server typically has a backup or secondary server containing all the data kept on the original server. 

To find the DNS server and gain access to the target organization's records, an attacker uses DNS zone transfer enumeration. Attackers can use DNS zone transfers to gain DNS server names, hostnames, machine names, usernames, IP addresses, aliases, and other information assigned within a target domain if the DNS server of the target organisation permits them. 

To perform a DNS zone transfer, the attacker sends a zone-transfer request to the DNS server pretending to be a client; the DNS server then sends a portion of its database as a zone to the attacker. This zone may contain a large amount of information about the DNS zone network. 

COMMANDS

  • dig command on Linux is used by the attackers to retrieve information about the target. Command: dig ns <target domain>. This command retrieves all the DNS name servers of the target domain. Next, the attacker uses the name servers from the output to test whether the target DNS allows zone transfers. Command: dig@<domain of name server> <target domain> axfr. (AXFR means domains to be tested for zone transfer NS servers)
  • dnsrecon command on Linux is used by the attack to check all NS records of the target domain. Command: dnsrecon -t axfr -d <target domain>
  • nslookup command on Windows is used to query the DNS name servers and retrieve information about the target. The below Figure shows the commands, red boxes are the commands that need to be entered. Replace hackhunt.in with target domain. 

DNS Cache Snooping

One kind of DNS enumeration approach is DNS cache snooping, where an attacker asks the DNS server for a certain cached DNS record. The attacker can identify the websites the user has recently visited by using this cached data. The attacker can carry out a social engineering assault on the intended user by utilising this information. Attackers perform DNS cache snooping using various tools such as dig, DNS Snoop Dogg, and DNSRecon. Attackers use the following two DNS cache snooping methods to snoop on a target domain:

Non-recursive Method

By changing the Recursion Desired (RD) bit in the query header to zero, attackers can transmit a non-recursive query. Attackers utilise the DNS cache to search for certain DNS records. If the record they are looking for is found there, the DNS server replies with information indicating that a system user has visited the requested domain. If not, the DNS server replies with either the root.hints file, which contains details about all root DNS servers, or provides information about another DNS server that can answer the query. Command: dig @<IP of DNS Server> <target domain> A +norecurse

Recursive Method

The length of time the DNS record is cached is ascertained by looking at the time-to-live (TTL) field. Here, the TTL value that was initially entered in the TTL field is compared to the TTL value that was retrieved from the outcome. The record is cached, indicating that someone on the system has visited that site, if the TTL value in the result is less than the initial TTL value. Command: dig @<IP of DNS server> <Target Domain> A +recurse.

DNSSEC Zone Walking

If the DNS zone is not set up correctly, an attacker may try to get internal records by using the Domain Name System Security Extensions (DNSSEC) zone walking approach. The attacker can create a map of the host network with the help of the enumerated zone information.

TOOLS

  • ldns-walk command on Linux enumerated the DNSSEC zone and obtained results on the DNS record files. Command: ldns-walk @<IP of DNS Server> <Target Domain>. IP of DNS Server can be used of Googles': 8.8.8.8.
  • dnsrecon command on Linux assists users in enumerating DNS records such as A, AAA, and CNMAE. Command: dnsrecon -d <target domain> -z.

COUNTERMEASURES

  • Disable DNS zone transfers to untrusted hosts. 
  • Ensure that the private hosts and their IP addresses are not published in the DNS zone files of the public DNS server.
  • Use premium DNS registration services that hide sensitive information such as host information (HINFO) from the public. 
  • Use standard network admin contacts for DNS registrations to avoid social engineering attacks. 
  • Prune DNS zone files to prevent revealing unnecessary information. 

No comments:

Post a Comment