Domain Name System. Translates IPs to domain names like
router.lan and visa versa.
DNS querying can be either recursive or non-recursive.
Recursive. ISP DNS server queries other DNS servers until it finds the answer. Once it’s found, it’s returned by the ISP DNS to the client.
Non-recursive. ISP DNS is not involved? Response comes directly from the DNS server queried the last. So, who has asked initially, would be shown in the last DNS server’s logs 📝.
Works on port 53 (usually, UDP, but TCP could also be used in some cases).
Attacks and Misuse
Use a public DNS server to flood the victim with DNS replies. Requires a botnet, each bot sending a DNS request with a spoofed IP (the victim’s IP).
nmap -sU -p53 -sV --script=dns-recursion.nse IP
DNS Fast Flux
Used by botnets to hide phishing and malware delivery sites behind dynamic network of compromised hosts acting as proxies.
DNS Command Injection
If, for example, example.com has expired and was not prolonged in time, the attacker could buy this domain and use for malicious activity.
Some hacker Eve buys a domain that looks a lot like a legit
example.com, for example,
examp1e.com. Eve than posts some crap and the owner of
example.com will have to deal with the reputation damage.
Domain theft usually due to the registrant abuse.
This technique is actually often used by the blue teamers to handle malware’s DNS requests and redurect them to some fake server in order to win some time and perform a throurough investigation while the malware thinks everything is ok.
DNS poisoning (spoofing)
- Local host can be tampered with.
- Local DNS daemon/service could be tampered with (like DNS
dnsapi.dll, RPC to
- Change the file on the DNS server itself.
In case a malware beacons to its server via DNS, you have two options to trick it:
- tamper the hosts file
- run a local DNS service that’s going to resolve the requested domain names to the IP addresses of your choice.
DNS Zone transfer
What’s a zone? Picture and explanation.
There are usually two or more DNS servers. One is the master, the others are slaves. What it actually means is that master is updated, replying to requests. Slaves act as backup in case something happens to the data on the master DNS server. Master syncs with the slave from time to time. What the master sends to a slave is called a zone file. It contains the mapping of domain names and IP addresses that is used when people are trying to resolve domain names.
If the DNS settings are wrong and allow a trird-party to upload a zone file, the DNS server could be compromised and redirect people to the wrong servers.
perl fierce.pl -dns example.com -wordlist rocky_you.txt # The script is used for DNS reconnaissance and network mapping. In this case, it is instructed to perform a DNS enumeration on the domain `example.com` using a wordlist file called `rocky_you.txt`.
dig @ns1.google.com axfr # This line uses the `dig` command-line tool to perform a DNS zone transfer (AXFR) against the DNS server at `ns1.google.com`. A zone transfer allows retrieving the complete DNS records for a specific domain from the authoritative DNS server.
host -l google.com ns1.google.com # This line uses the `host` command-line tool to perform a DNS zone transfer (AXFR) against the DNS server at `ns1.google.com`. It requests a zone transfer for the domain `google.com` using the `-l` option.
nslookup server authoritative_IP & set type=any & ls -v example.com # This line utilizes the `nslookup` command-line tool to interact with a DNS server. It first sets the DNS server to `server authoritative_IP` (replacing `authoritative_IP` with the actual IP address of an authoritative DNS server). Then, it sets the query type to `any` using the `set type=any` command. Finally, it lists all the resource records (including hidden ones) for the domain `example.com` using the `ls -v` command.
dig @127.0.0.1 example.com ns # This line uses the `dig` command-line tool to query the DNS server running on `127.0.0.1` (localhost) for the nameserver (NS) records of the domain `example.com`. It fetches the authoritative nameservers responsible for the domain.
dig server_name_or_IP ptr # This line uses the `dig` command-line tool to perform a reverse DNS lookup (PTR) for a given `server_name_or_IP`. It retrieves the reverse DNS record associated with the provided server name or IP address.
dnschef --interface=127.0.0.2 --fakeip=220.127.116.11 --fakedomains=googel.com # This line executes the `dnschef` tool, which is a DNS proxy server used for DNS spoofing and manipulation. It starts `dnschef` with the specified configuration, where DNS requests are intercepted on interface `127.0.0.2`, and any requests for the domain `googel.com` will be spoofed to resolve to the fake IP address `18.104.22.168`.
It allows bypassing the SOP policy. It involves exploitation of a routing devices.
- Force the user to visit
hacker.com. He resolves hacker.com to
123.456.789.12where this entry has a
TTLset to a small value like
1(will expire soon).
- Run JS on the client that constantly sends requests to
- TTL expires, client sends request again but now hacker’s DNS resolves to the victim’s local address
192.168.1.1(usually assigned to routers).
- Victim sends a request for
hacker.com/configwhich is resolves now to a local addres and is basically the following:
Check IP reputation
To get the DNS servers for this particular domain, use 🛠️
nslookup (a tool available on many OS).
❗️Note, however, that the macOS version of the tool is limited and doesn’t have some of the options implemented (like
-lor zone transfer).
> set type=ns
> set type=mx
decode -d dns 2022-11-07-part-1-of-2-Emotet-infection.pcap # view DNS request from the pcap