Extracting Information from DNS: DNS servers are an excellent target for hackers and penetration testers. They usually contain information that is considered highly valuable to attackers.
DNS is a core component of both our local networks and the Internet. Among other things, DNS is responsible for the process of translating domain names to IP addresses.
As humans, it is much easier for us to remember “google.com” rather than that http://220.127.116.11. However, machines prefer the reverse. DNS serves as the middle man to perform this translation process.
As penetration testers, it is important to focus on the DNS servers that belong to our target. The reason is simple.
In order for DNS to function properly, it needs to be aware of both the IP address and the corresponding domain name of each computer on its network.
In terms of reconnaissance, gaining full access to a company’s DNS serves is like finding a pot of gold at the end of a rainbow. Or maybe, more accurately, it is like finding a blueprint to the organization.
But in this case, the blueprint contains a full listing of Internal IP addresses and host names that belong to our target.
Remember one of key elements of information gathering is to collect IP addresses that belong to the target.
Aside from the pot of gold, another reason why picking on DNS is so enjoyable is that in many cases these services tend to operate on the “if it isn’t broke, don’t touch it” principle.
Inexperienced network administrators often regard their DNS servers with suspicion and mistrust. Oftentimes, they choose to ignore the box completely because they do not fully understand it.
As a result, patching, updating, or changing configurations on the DNS server is often a low priority. Add this to the fact that most DNS servers appear to be very stable (as long as the administrator is not monkeying with it) and you have a recipe for a security disaster.
These admins wrongly learn early in their career that the less they mess with their DNS servers, the less trouble it seemed to cause them.
As a penetration tester, given the number of misconfigured and unpatched DNS servers that abound today, it is natural to assume that many current network admins operate under the same principle.
If the above statements are true in even a small number of organizations, we are left with valuable targets that have a high probability of being unpatched or out of date.
So the next logical question becomes, how do we access this virtual pot of gold? Before we can begin the process of examining a DNS server, we need an IP address.
Earlier in our reconnaissance, we came across several references to DNS. Some of these references were by host names, whereas other were by IP addresses.
Using the host command, we can translate any host names into the IP addresses and add these IPs to the potential target list.
Again, you must be sure to double-and-triple-check that the IP you collect is within your authorized scope before continuing.
Now that we have a list of DNS IP addresses that belong to or (serve out target) we can begin the process of interrogating DNS to extract information.
Although it is becoming rarer to find, one of our first tasks when interacting with a target DNS is to attempt a zone transfer.
Recall that DNS servers contain a series of records that match up the IP address and host name for all the devices that the servers are aware of. Many networks deploy multiple DNS servers for the sake of redundancy or load balancing.
As a result, DNS servers need a way to share information. This “sharing” process occurs through the use of z zone transfer.
During z zone transfer, also commonly referred to as AXFR, one DNS server will send all the host-to-IP mapping it contains to another DNS server. This process allows multiple DNS servers to stay in sync.
Even if we are unsuccessful in performing a zone transfer, we should still spend time investigating any DNS servers that falls within out authorized scope.