Decoding DNS : Penetration Tester’s Journey with dig

“dig: Hacker’s Digital Compass.”

Hello Cyber Voyager,

In today’s article, I’m going to explain a powerful tool that you may have used or may not have used, i.e., `dig`.

INDEX

1. Use case of Dig Commands( Basic to Advanced )

2. Sensitivity, Method and potential attack vectors.

3. Advanced tools used for DNS [ S.E.V ]

‘)

The dig tool, which stands for "domain information groper," is a versatile command-line utility used for querying DNS (Domain Name System) servers and many more purposes that you’re going see below.

Hackers and penetration testers utilize the dig tool for various purposes related to DNS reconnaissance and analysis.

There are use cases of dig :

1. Information Gathering
2. Subdomain Enumeration
3. Zone Transfer Attempts
4. Detecting DNS Misconfigurations
5. Reverse DNS Lookups
6. DNSSEC Analysis
7. Querying Specific DNS Servers
8. Troubleshooting DNS Issues

Let’s Move towards the all commands to get the max to max information to our target ( As an Hacker or Bug Hunter) : )

I’m a Hacker ‘)

Basic DNS Queries

• Retrieve the IP address associated with a domain.
• Find the authoritative name servers for a domain.
• Obtain information about mail exchange servers (MX records) for a domain.

1. Retrieve the IP Address Associated with a Domain:

dig example.com

This command will retrieve the default DNS information for the domain example.com, including its IP address (A record).

2. Find the Authoritative Name Servers for a Domain:

dig example.com NS

This command queries the authoritative name servers (NS records) for the domain example.com.

3. Obtain Information about Mail Exchange Servers (MX Records) for a Domain:

dig example.com MX

This command retrieves the Mail Exchange (MX) records for the domain example.com, providing information about the mail servers associated with the domain.

Querying Specific Record Types

Specify the type of DNS record to query (A, AAAA, MX, TXT, etc.).

1. Querying A (IPv4) Records

dig example.com A

This command retrieves the IPv4 address (A record) for the domain example.com.

2. Querying AAAA (IPv6) Records

dig example.com AAAA

This command retrieves the IPv6 address (AAAA record) for the domain example.com

3. Querying MX (Mail Exchange) Records

dig example.com MX

This command retrieves the Mail Exchange (MX) records for the domain example.com, providing information about mail servers.

4. Querying TXT Records

dig example.com TXT

This command retrieves the text (TXT) records associated with the domain example.com. TXT records often contain additional information like SPF records for email authentication.

5. Querying CNAME (Canonical Name) Records

dig example.com CNAME

This command retrieves the Canonical Name (CNAME) record for the domain example.com, indicating an alias for another domain.

6. Querying NS (Name Server) Records

dig example.com NS

This command retrieves the authoritative Name Server (NS) records for the domain example.com.

7. Querying SOA (Start of Authority) Records

dig example.com SOA

This command retrieves the Start of Authority (SOA) record for the domain example.com, containing information about the domain's primary DNS server and related parameters.

8. Querying SRV (Service) Records

dig _service._protocol.example.com SRV

This command queries for Service (SRV) records for a specific service and protocol on the domain example.com.

Reverse DNS Lookup

Find the domain name associated with a given IP address.

dig -x 8.8.8.8

In this command, replace 8.8.8.8 with the actual IP address you want to perform the reverse DNS lookup on. The -x option instructs dig to perform a reverse lookup, and it will return the associated domain name (PTR record) for the specified IP address.

Keep in mind that not all IP addresses have reverse DNS records, and the information returned depends on the configuration of the DNS server that manages the reverse DNS zone for the IP range.

1 . Reverse DNS Lookup with Shortened Output for IPv4 Address

dig +short -x 13.3.267.154

2. Reverse DNS Lookup with Custom DNS Server for IPv6 Address

dig +short @8.8.8.8 -x 2699:120f:a200::6011:a567

Reverse DNS Lookup for IPv6 Address

dig +short -x 2478:142f:a467::6031:a867

• Command: dig +short -x <IPv6_address>
• Description: This command performs a reverse DNS lookup for the specified IPv6 address. The +short option is used to display only the resolved domain name without additional information.

DNS Query for a Specific DNS Server

1. DNS Query for www.example.com using the specific DNS server a5–29.akam.net

dig +short @a5-29.akam.net www.example.com

2. DNS Query for www.example.com using the specific DNS server 8.8.8.8

dig +short @8.8.8.8 www.example.com

This command queries the DNS server at IP address 8.8.8.8 for the IP address of www.example.com.

3. DNS Query for ftp.example.net using the specific DNS server 208.67.222.222

dig +short @208.67.222.222 ftp.example.net

Displaying Additional Information

Use various options like +short for concise output, and +stats for query time statistics.

1. Displaying Concise Output with +short

dig +short example.com

The +short option provides a concise output, showing only the essential information, such as the IP address associated with the domain example.com.

2. Displaying Query Time Statistics with +stats

dig example.com +stats

The +stats option provides detailed query time statistics, including the time it took to send the query, receive the response, and other relevant information.

Querying Specific DNS Servers

Direct the query to a specific DNS server using the @ syntax.

dig example.com @8.8.8.8

In this command, replace example.com with the domain you want to query, and 8.8.8.8 with the IP address of the DNS server you want to direct the query to.

Setting Query Parameters

Set query timeouts (+timeout option). Specify the query port (-p option).

1. Setting Query Timeouts with +timeout

dig example.com +timeout=5

This command sets a timeout of 5 seconds for the DNS query. If the query takes longer than the specified timeout, dig will stop waiting for a response.

2. Specify the Query Port with -p

dig example.com -p 5353

This command specifies the query port as 5353 instead of the default DNS port (53). The -p option allows you to use a non-default port for the DNS query

Advanced Query Features

• Perform DNS trace queries (+trace option) to show the resolution path.
• Utilize Extension Mechanisms for DNS (EDNS) with the +edns option.
• Enable DNS Security Extensions (DNSSEC) with the +dnssec option.

1. Performing DNS Trace Queries with +trace

dig +trace example.com

This command performs a DNS trace query for the domain example.com. It shows the resolution path from the root DNS servers to the authoritative name servers, providing a detailed view of the DNS hierarchy.

2. Utilizing Extension Mechanisms for DNS (EDNS) with +edns

dig example.com +edns=0

This command utilizes Extension Mechanisms for DNS (EDNS) by specifying the EDNS version (in this case, version 0) in the DNS query. EDNS allows for additional features and larger payload sizes in DNS responses.

3. Enabling DNS Security Extensions (DNSSEC) with +dnssec

dig example.com +dnssec

This command enables DNS Security Extensions (DNSSEC) for the DNS query. It requests DNSSEC-related information, including signatures and cryptographic keys, to verify the authenticity and integrity of the DNS responses.

Displaying TTL (Time to Live) Information

View TTL values for DNS records.

dig example.com +noquestion +nocomments +noauthority +noadditional +stats

In this command:

• +noquestion, +nocomments, +noauthority, +noadditional options are used to suppress unnecessary details in the output, focusing only on the statistics section.
• +stats option is used to display query time statistics.

The dig command with these options will show the TTL values for the DNS records associated with the domain example.com. The TTL is part of the statistics section and provides information about how long the DNS records can be cached before they expire.

Keep in mind that the actual TTL values for specific records (A, MX, etc.) will be displayed in the “Query time” and “ANSWER SECTION” of the output.

Querying Multiple Record Types

Request information on multiple DNS record types in a single query

dig example.com A MX TXT

In this command, replace example.com with the domain you want to query. The query requests information on three different DNS record types:

1. A (IPv4) Records: Retrieve the IP address associated with the domain.
2. MX (Mail Exchange) Records: Obtain information about mail exchange servers for the domain.
3. TXT Records: Retrieve text records associated with the domain, which can include information like SPF records for email authentication.

Querying with DNSSEC

Verify DNSSEC signatures and security-related information with the +dnssec option.

Here’s an example of a dig command for querying with DNSSEC to verify DNSSEC signatures and security-related information.

dig example.com +dnssec

In this command, replace example.com with the domain you want to query. The +dnssec option instructs dig to include DNSSEC-related information in the output. This information includes signatures, cryptographic keys, and other details that are part of the DNSSEC (DNS Security Extensions) protocol.

Using +dnssec helps you ensure the authenticity and integrity of the DNS responses by checking the presence and validity of DNSSEC signatures. It's particularly useful for verifying that the DNS responses have not been tampered with during transit.

Specifying DNS Record Classes

Optionally specify the DNS record class, such as IN (Internet) or CH (Chaos).

1. Specify the DNS Record Class as IN (Internet)

dig example.com IN A

In this command, the IN (Internet) class is explicitly specified when querying for the A (IPv4) record for the domain example.com. While IN is the default class and is often omitted, explicitly specifying it is valid and can be useful for clarity.

2. Specify the DNS Record Class as CH (Chaos)

dig example.com CH TXT

In this command, the CH (Chaos) class is explicitly specified when querying for the TXT records for the domain example.com. The CH class is less commonly used and typically reserved for special purposes.

Querying Specific DNS Server and Port

dig example.com @8.8.8.8 -p 5353

In this command:

• example.com is the domain you want to query.
• @8.8.8.8 specifies the DNS server to query, in this case, Google's public DNS server.
• -p 5353 specifies the port number for the DNS query. In this example, the query is directed to port 5353 instead of the default DNS port (53).

Adjust the domain, DNS server, and port values based on your specific requirements

DNS Zone Transfer

Initiating an AXFR zone-transfer request from a secondary server is as simple as using the following dig commands, where www.example.com is the domain that we want to initiate a zone transfer for. First, we need to get the list of DNS servers for the domain:

dig +short ns www.example.com

ttmk3.difo.super.
ttmk5.difo.super.

Now, we can get initiate an AXFR request to get a copy of the zone from the primary server:

dig axfr www.example.com @ttmk3.difo.super.

or

dig axfr example.com @dns-server

• dig: The command itself, indicating the use of the dig tool.
• axfr: Specifies the type of DNS query, in this case, a zone transfer.
• example.com: The domain for which you want to attempt the zone transfer.
• @dns-server: The DNS server's IP address or hostname to which the zone transfer request is directed.

You would replace @dns-server with the actual IP address or hostname of the DNS server you want to target for the zone transfer.

That’s all the commands through which you will get the Max to Max Output of the Target’s ‘) , but that’s not the end : ) …..

If you’re or want to become a Black Hat, Gray Hat Hacker, White Hat Hacker, or Bug Hunter, you must be familiar with these concepts, and undoubtedly, you’ll find them intriguing.

DNS (Domain Name System) servers are critical components of the internet infrastructure, and attacks targeting them can have significant consequences. Several types of attacks exploit DNS servers.

Critical DNS information that are considered sensitive [ Hide it any how , otherwise ; ) ]

Sensitive DNS information that should be protected from attackers includes data that, if compromised, could lead to unauthorized access, DNS spoofing, or other malicious activities. Attackers may use various tools and techniques to find and exploit these sensitive DNS details

Sensitive DNS information and potential attack vectors:

1 Zone Files

• Sensitivity: Zone files contain mappings between domain names and IP addresses, mail server information, and other DNS records.
• Attack Vector: Attackers may attempt to perform unauthorized zone transfers to retrieve the entire zone file. Tools like dnsrecon or axfr scripts can automate this process.

2 DNSSEC Keys

• Sensitivity: DNSSEC uses cryptographic keys to sign DNS records, ensuring their integrity.
• Attack Vector: Attackers may attempt to compromise DNSSEC key management, exploit vulnerabilities, or use cryptographic attacks. Tools like dnsenum or custom scripts may be employed.
• ZoneWalking is a tool that demonstrates the zone walking attack against DNSSEC-protected zones.

3 DNS Server Configuration

• Sensitivity: Information about DNS server configurations, including access controls and security settings.
• Attack Vector: Attackers may use tools like nmap or dnsrecon to perform DNS reconnaissance, probing for misconfigurations or vulnerabilities in DNS servers.

4 Dynamic DNS Update Mechanisms

• Sensitivity: Details about mechanisms allowing clients to update DNS records dynamically.
• Attack Vector: Attackers may abuse weak authentication mechanisms, inject unauthorized updates, or exploit vulnerabilities in dynamic DNS implementations. Tools like dnsenum or custom scripts may assist.

5 DNS Administrative Credentials

• Sensitivity: Usernames and passwords associated with DNS administrative accounts.
• Attack Vector: Attackers may use phishing, social engineering, or brute-force attacks to obtain administrative credentials. Tools like password-cracking tools or custom scripts may be employed.

6 Transaction Signatures (DNS over TLS/HTTPS)

• Sensitivity: Transaction signatures associated with DNS queries and responses, particularly in DNS over TLS (DoT) or DNS over HTTPS (DoH).
• Attack Vector: Attackers may attempt to intercept DNS traffic, analyze transaction signatures, or exploit vulnerabilities in DNS over TLS/HTTPS implementations. Tools like Wireshark or custom packet-sniffing scripts may be used.

7 DNS Query Logs

• Sensitivity: Logs containing details of DNS queries, including source IP addresses, requested domain names, and timestamps.
• Attack Vector: Attackers may target logging systems, exploit vulnerabilities in DNS servers to gain access to logs, or perform man-in-the-middle attacks to intercept DNS queries. Tools like log analysis tools or custom scripts may assist.
• Gain access to log files and modify entries to hide malicious activities or mislead investigators.
• Tools: Standard text editors or custom scripts to manipulate log entries.

8 DNS Tunneling

• Method: Attackers encapsulate non-DNS traffic within DNS requests to evade network security measures.
• Tool: Tools like iodine, Dns2tcp, or custom scripts can be used for DNS tunneling attacks.

There are various advanced tools used for DNS scanning, exploitation, and vulnerability assessment by ethical hackers and bug bounty hunters , We Cover these tool in next article.

Some of these tools include:

1. dnsrecon: A powerful DNS enumeration tool used to gather information about a target’s DNS infrastructure, including zone transfers, DNS brute-forcing, and reverse lookups.
2. DNSenum: A tool for DNS enumeration and reconnaissance, used to gather information about a target’s DNS servers, subdomains, IP addresses, and other related information.
3. dnstracer: A DNS resolution tracing tool that displays the path taken by DNS queries from the source to the destination, including all intermediate DNS servers.
4. dig: A command-line tool for querying DNS servers, used to perform various types of DNS queries, such as A, AAAA, MX, NS, and TXT records.
5. nslookup: A command-line tool for querying DNS servers, used to retrieve information about DNS records, such as IP addresses, hostnames, and MX records.
6. dnsmap: A DNS subdomain enumeration tool used to discover subdomains associated with a target domain by using various techniques, such as brute-forcing, zone transfers, and reverse lookups.
7. DNSChef: A powerful DNS vulnerability scanner used to identify various DNS vulnerabilities, such as zone transfers, cache poisoning, and DNS amplification attacks.
8. MassDNS: A high-performance DNS query tool used for DNS enumeration and reconnaissance, capable of performing millions of DNS queries per second.
9. dnssec-scan: A tool for DNSSEC analysis and validation, used to identify potential vulnerabilities in DNSSEC implementations, such as key misconfigurations or rollover issues.
10. DNSFlagDay: A tool for testing DNS servers’ compliance with modern DNS standards and protocols, such as DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These tools can help ethical hackers and bug bounty hunters identify and exploit DNS vulnerabilities, as well as assess the security of DNS infrastructure. However, it is essential to use these tools ethically and responsibly, following all relevant legal and ethical guidelines. Always obtain proper authorization and permission before conducting any security testing or vulnerability assessment.

: )

RED TEAM-001