6. DNS

I. DNS Basics

• Function: Translates domain names to IP addresses.

• Ports:

  • UDP/53 (default)

  • TCP/53 (for zone transfers and large packets)

• Importance: Critical for network applications.

• Attack Vectors:

  • DNS zone transfers.

  • Domain/subdomain takeovers.

  • DNS spoofing/cache poisoning.

II. Enumeration

• Nmap:

nmap -p53 -Pn -sV -sC <target_IP>

III. DNS Zone Transfers

• Function: Copies DNS zone data between servers.

• Vulnerability: Misconfigurations allow unauthorized transfers.

• Tools:

dig AXFR @<nameserver> <domain>
fierce --domain <domain>

IV. Domain/Subdomain Takeovers

• Domain Takeover: Registering expired domains.

• Subdomain Takeover: Claiming subdomains pointing to expired services (via CNAME records).

• Subdomain Enumeration Tools:

./subfinder -d <domain> -v
# Sublist3r can be used similarly.
git clone https://github.com/TheRook/subbrute.git
cd subbrute
echo "<nameserver>" > ./resolvers.txt
./subbrute <domain> -s ./names.txt -r ./resolvers.txt

• CNAME Record Enumeration:

host <subdomain>
nslookup <subdomain>

• Subdomain Takeover Verification:

  • Check for "NoSuchBucket" errors (AWS S3).

  • Use can-i-take-over-xyz repository.

V. DNS Spoofing/Cache Poisoning

• Function: Injecting false DNS records.

• Methods:

  • Man-in-the-Middle (MITM) attacks.

  • Exploiting DNS server vulnerabilities.

• Local DNS Cache Poisoning (MITM):

# Ettercap Setup:
# 1. Edit /etc/ettercap/etter.dns and add spoofed domain/IP.
# 2. Start Ettercap, scan hosts.
# 3. Add target IP to Target1, gateway IP to Target2.
# 4. Enable dns_spoof plugin.

# Bettercap can also be used for similar purposes.

VI. Latest DNS Vulnerabilities

• Subdomain Takeover (CNAME Records):

  • Exploiting forgotten CNAME records pointing to expired third-party services.

  • Risks: Phishing, cookie stealing, CSRF, CORS abuse, CSP bypass.

Key Commands Summary

• Nmap:

nmap -p53 -Pn -sV -sC <target_IP>

• dig:

dig AXFR @<nameserver> <domain>

• Fierce:

fierce --domain <domain>

• Subfinder:

./subfinder -d <domain> -v

• Subbrute:

./subbrute <domain> -s ./names.txt -r ./resolvers.txt

• host:

host <subdomain>

• nslookup:

nslookup <subdomain>

• Ettercap:

  • Edit /etc/ettercap/etter.dns.

  • Use Ettercap GUI (scan, targets, plugins).