DNS
Domain Name System
Last updated
Domain Name System
Last updated
DNS (Domain Name System) plays a crucial role in how the internet functions. The DNS allows us to search for domain names like and reach the web servers that the hosting provider has assigned the IP address.
With DNS we do not have to remember all the IP addresess for our favorite sites. Its a lot easier to remember the names, that is why DNS is so important.
Defnition: DNS is a system for resolving computer names into IP addresses, and it does not have a central database.
Its like a big phone book where the information is distributed over thousand of name servers globally placed.
There are several types of DNS servers used worldwide:
DNS root server
Authoritative name server
Non-authoritative name server
Caching server
Forwarding server
Resolver
DNS Root Server
The root servers of the DNS are responsible for the top-level domains (TLD) such as .com, .net... As the last instance, they are only requested if the name server does not respond. Thus, a root server is a central interface between users and content on the Internet, as it links domain and IP address. There are 13 such root servers around the globe.
Authoritative Nameserver
Authoritative name servers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point.
Non-authoritative Nameserver
Non-authoritative name servers are not responsible for a particular DNS zone. Instead, they collect information on specific DNS zones themselves, which is done using recursive or iterative DNS querying.
Caching DNS Server
Caching DNS servers cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage.
Forwarding Server
Forwarding servers perform only one function: they forward DNS queries to another DNS server.
Resolver
Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router.
The DNS does not only store information about the IP address conected to the domain name, but can hold information such as, what is the host that is served as the email server for this specific domain name. Or what is the name of the host
DNS is mainly unencrypted. Devices on the local WLAN and Internet providers can therefore hack in and spy on DNS queries. Since this poses a privacy risk, there are now some solutions for DNS encryption. By default, IT security professionals apply DNS over TLS (DoT) or DNS over HTTPS (DoH) here. In addition, the network protocol DNSCrypt also encrypts the traffic between the computer and the name server.
A
Returns an IPv4 address of the requested domain as a result.
AAAA
Returns an IPv6 address of the requested domain.
MX
Returns the responsible mail servers as a result.
NS
Returns the DNS servers (nameservers) of the domain.
TXT
This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam.
CNAME
This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.
PTR
The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA
Provides information about the corresponding DNS zone and email address of the administrative contact.
local DNS configuration files
zone files
reverse name resolution files
allow-query
Defines which hosts are allowed to send requests to the DNS server.
allow-recursion
Defines which hosts are allowed to send recursive requests to the DNS server.
allow-transfer
Defines which hosts are allowed to receive zone transfers from the DNS server.
zone-statistics
Collects statistical data of zones.
The footprinting at DNS servers is done as a result of the requests we send. So, first of all, the DNS server can be queried as to which other name servers are known. We do this using the NS record and the specification of the DNS server we want to query using the @ character. This is because if there are other DNS servers, we can also use them and query the records. However, other DNS servers may be configured differently and, in addition, may be permanent for other zones.
Note: We can use the option ANY to view all available records. This will cause the server to show us all available entries that it is willing to disclose. It is important to note that not all entries from the zones will be shown.
An option would be to execute a for-loop in Bash that lists these entries and sends the corresponding query to the desired DNS server.
note: for host brute forcing we can use the /home/kali/Downloads/SecList/Discovery/DNS/fience-host.txt file
The individual A records with the hostnames can also be found out with the help of a brute-force attack. To do this, we need a list of possible hostnames, which we use to send the requests in order. Such lists are provided, for example, by .
Many different tools can be used for this, and most of them work in the same way. One of these tools is, for example .
