πŸ“š DNS

Created: 18.11.2020

Domain Name System. Translates IPs to domain names like 192.168.1.1 to router.lan and visa versa.

DNS querying can be either recursive or non-recursive.

Recursive. ISP DNS server queries other DNS servers until it finds the answer. Once it’s found, it’s returned by the ISP DNS to the client.

Non-recursive. ISP DNS is not involved? Response comes directly from the DNS server queried the last. So, who has asked initially, would be shown in the last DNS server’s logs πŸ“.

Works on port 53 (usually, UDP, but TCP could also be used in some cases).

Attacks and Misuse

DNS Aplification

Use a public DNS server to flood the victim with DNS replies. Requires a botnet, each bot sending a DNS request with a spoofed IP (the victim’s IP).

nmap -sU -p53 -sV --script=dns-recursion.nse IP

DNS Fast Flux

Used by botnets to hide phishing and malware delivery sites behind dynamic network of compromised hosts acting as proxies.

DNS Command Injection

Type 1

Type 2

DNS Snipping

If, for example, example.com has expired and was not prolonged in time, the attacker could buy this domain and use for malicious activity.

Cybersquatting

Some hacker Eve buys a domain that looks a lot like a legit example.com, for example, examp1e.com. Eve than posts some crap and the owner of example.com will have to deal with the reputation damage.

Domain hijacking

Domain theft usually due to the registrant abuse.

DNS sinkhole

This technique is actually often used by the blue teamers to handle malware’s DNS requests and redurect them to some fake server in order to win some time and perform a throurough investigation while the malware thinks everything is ok.

DNS poisoning (spoofing)

  1. Local host can be tampered with.
  2. Local DNS daemon/service could be tampered with (like DNS GetCacheDataTable from dnsapi.dll, RPC to dnscache.dll svchost.dll).
  3. Change the file on the DNS server itself.

DNS redirection

In case a malware beacons to its server via DNS, you have two options to trick it:

  • tamper the hosts file
  • run a local DNS service that’s going to resolve the requested domain names to the IP addresses of your choice.

DNS Cache

Windows

DNS Leak

See here.

DNS Zone transfer

What’s a zone? Picture and explanation.

There are usually two or more DNS servers. One is the master, the others are slaves. What it actually means is that master is updated, replying to requests. Slaves act as backup in case something happens to the data on the master DNS server. Master syncs with the slave from time to time. What the master sends to a slave is called a zone file. It contains the mapping of domain names and IP addresses that is used when people are trying to resolve domain names.

If the DNS settings are wrong and allow a trird-party to upload a zone file, the DNS server could be compromised and redirect people to the wrong servers.

perl fierce.pl -dns example.com -wordlist rocky_you.txt # The script is used for DNS reconnaissance and network mapping. In this case, it is instructed to perform a DNS enumeration on the domain `example.com` using a wordlist file called `rocky_you.txt`.


dig @ns1.google.com axfr # This line uses the `dig` command-line tool to perform a DNS zone transfer (AXFR) against the DNS server at `ns1.google.com`. A zone transfer allows retrieving the complete DNS records for a specific domain from the authoritative DNS server.

host -l google.com ns1.google.com # This line uses the `host` command-line tool to perform a DNS zone transfer (AXFR) against the DNS server at `ns1.google.com`. It requests a zone transfer for the domain `google.com` using the `-l` option.


nslookup server authoritative_IP & set type=any & ls -v example.com # This line utilizes the `nslookup` command-line tool to interact with a DNS server. It first sets the DNS server to `server authoritative_IP` (replacing `authoritative_IP` with the actual IP address of an authoritative DNS server). Then, it sets the query type to `any` using the `set type=any` command. Finally, it lists all the resource records (including hidden ones) for the domain `example.com` using the `ls -v` command.

dig @127.0.0.1 example.com ns # This line uses the `dig` command-line tool to query the DNS server running on `127.0.0.1` (localhost) for the nameserver (NS) records of the domain `example.com`. It fetches the authoritative nameservers responsible for the domain.

dig server_name_or_IP ptr # This line uses the `dig` command-line tool to perform a reverse DNS lookup (PTR) for a given `server_name_or_IP`. It retrieves the reverse DNS record associated with the provided server name or IP address.


dnschef --interface=127.0.0.2 --fakeip=98.98.98.98 --fakedomains=googel.com # This line executes the `dnschef` tool, which is a DNS proxy server used for DNS spoofing and manipulation. It starts `dnschef` with the specified configuration, where DNS requests are intercepted on interface `127.0.0.2`, and any requests for the domain `googel.com` will be spoofed to resolve to the fake IP address `98.98.98.98`.

DNS rebinding

It allows bypassing the SOP policy. It involves exploitation of a routing devices.

  1. Force the user to visit hacker.com. He resolves hacker.com to 123.456.789.12 where this entry has a TTL set to a small value like 1 (will expire soon).
  2. Run JS on the client that constantly sends requests to hacker.com/config.
  3. TTL expires, client sends request again but now hacker’s DNS resolves to the victim’s local address 192.168.1.1 (usually assigned to routers).
  4. Victim sends a request for hacker.com/config which is resolves now to a local addres and is basically the following: 192.168.1.1/config.

πŸ“˜BTFM

Check IP reputation

www.reverse.it, www.urlvoid.com.

To get the DNS servers for this particular domain, use πŸ› οΈ nslookup (a tool available on many OS).

❗️Note, however, that the macOS version of the tool is limited and doesn’t have some of the options implemented (like -l or zone transfer).

nslookup
> set type=ns
> bakerst221b.com
> set type=mx
> bakerst221b.com

DNS requests

decode -d dns 2022-11-07-part-1-of-2-Emotet-infection.pcap # view DNS request from the pcap