Domain Name System. Translates IPs to domain names like 192.168.1.1
to router.lan
and visa versa.
DNS querying can be either recursive or non-recursive.
Recursive. ISP DNS server queries other DNS servers until it finds the answer. Once it’s found, it’s returned by the ISP DNS to the client.
Non-recursive. ISP DNS is not involved? Response comes directly from the DNS server queried the last. So, who has asked initially, would be shown in the last DNS server’s logs π.
Works on port 53 (usually, UDP, but TCP could also be used in some cases).
Attacks and Misuse
DNS Aplification
Use a public DNS server to flood the victim with DNS replies. Requires a botnet, each bot sending a DNS request with a spoofed IP (the victim’s IP).
nmap -sU -p53 -sV --script=dns-recursion.nse IP
DNS Fast Flux
Used by botnets to hide phishing and malware delivery sites behind dynamic network of compromised hosts acting as proxies.
DNS Command Injection
Type 1
Type 2
DNS Snipping
If, for example, example.com has expired and was not prolonged in time, the attacker could buy this domain and use for malicious activity.
Cybersquatting
Some hacker Eve buys a domain that looks a lot like a legit example.com
, for example, examp1e.com
. Eve than posts some crap and the owner of example.com
will have to deal with the reputation damage.
Domain hijacking
Domain theft usually due to the registrant abuse.
DNS sinkhole
This technique is actually often used by the blue teamers to handle malware’s DNS requests and redurect them to some fake server in order to win some time and perform a throurough investigation while the malware thinks everything is ok.
DNS poisoning (spoofing)
- Local host can be tampered with.
- Local DNS daemon/service could be tampered with (like DNS
GetCacheDataTable
fromdnsapi.dll
, RPC todnscache.dll
svchost.dll
). - Change the file on the DNS server itself.
DNS redirection
In case a malware beacons to its server via DNS, you have two options to trick it:
- tamper the hosts file
- run a local DNS service that’s going to resolve the requested domain names to the IP addresses of your choice.
DNS Cache
Windows
DNS Leak
See here.
DNS Zone transfer
What’s a zone? Picture and explanation.
There are usually two or more DNS servers. One is the master, the others are slaves. What it actually means is that master is updated, replying to requests. Slaves act as backup in case something happens to the data on the master DNS server. Master syncs with the slave from time to time. What the master sends to a slave is called a zone file. It contains the mapping of domain names and IP addresses that is used when people are trying to resolve domain names.
If the DNS settings are wrong and allow a trird-party to upload a zone file, the DNS server could be compromised and redirect people to the wrong servers.
perl fierce.pl -dns example.com -wordlist rocky_you.txt # The script is used for DNS reconnaissance and network mapping. In this case, it is instructed to perform a DNS enumeration on the domain `example.com` using a wordlist file called `rocky_you.txt`.
dig @ns1.google.com axfr # This line uses the `dig` command-line tool to perform a DNS zone transfer (AXFR) against the DNS server at `ns1.google.com`. A zone transfer allows retrieving the complete DNS records for a specific domain from the authoritative DNS server.
host -l google.com ns1.google.com # This line uses the `host` command-line tool to perform a DNS zone transfer (AXFR) against the DNS server at `ns1.google.com`. It requests a zone transfer for the domain `google.com` using the `-l` option.
nslookup server authoritative_IP & set type=any & ls -v example.com # This line utilizes the `nslookup` command-line tool to interact with a DNS server. It first sets the DNS server to `server authoritative_IP` (replacing `authoritative_IP` with the actual IP address of an authoritative DNS server). Then, it sets the query type to `any` using the `set type=any` command. Finally, it lists all the resource records (including hidden ones) for the domain `example.com` using the `ls -v` command.
dig @127.0.0.1 example.com ns # This line uses the `dig` command-line tool to query the DNS server running on `127.0.0.1` (localhost) for the nameserver (NS) records of the domain `example.com`. It fetches the authoritative nameservers responsible for the domain.
dig server_name_or_IP ptr # This line uses the `dig` command-line tool to perform a reverse DNS lookup (PTR) for a given `server_name_or_IP`. It retrieves the reverse DNS record associated with the provided server name or IP address.
dnschef --interface=127.0.0.2 --fakeip=98.98.98.98 --fakedomains=googel.com # This line executes the `dnschef` tool, which is a DNS proxy server used for DNS spoofing and manipulation. It starts `dnschef` with the specified configuration, where DNS requests are intercepted on interface `127.0.0.2`, and any requests for the domain `googel.com` will be spoofed to resolve to the fake IP address `98.98.98.98`.
DNS rebinding
It allows bypassing the SOP policy. It involves exploitation of a routing devices.
- Force the user to visit
hacker.com
. He resolves hacker.com to123.456.789.12
where this entry has aTTL
set to a small value like1
(will expire soon). - Run JS on the client that constantly sends requests to
hacker.com/config
. - TTL expires, client sends request again but now hacker’s DNS resolves to the victim’s local address
192.168.1.1
(usually assigned to routers). - Victim sends a request for
hacker.com/config
which is resolves now to a local addres and is basically the following:192.168.1.1/config
.
πBTFM
Check IP reputation
www.reverse.it, www.urlvoid.com.
To get the DNS servers for this particular domain, use π οΈ nslookup
(a tool available on many OS).
βοΈNote, however, that the macOS version of the tool is limited and doesn’t have some of the options implemented (like
-l
or zone transfer).
nslookup
> set type=ns
> bakerst221b.com
> set type=mx
> bakerst221b.com
DNS requests
decode -d dns 2022-11-07-part-1-of-2-Emotet-infection.pcap # view DNS request from the pcap