LinkedInGithub
Edit

DNS 53

DNS Scanning and Enumeration - Port 53

DNS (Domain Name System) is the protocol that translates domain names into IP addresses. Below are techniques for scanning and enumerating DNS services on port 53.

DNS Overview:

  • Default Port: 53

  • Protocol: DNS is used to resolve domain names to IP addresses and vice versa, making it one of the most essential services on the Internet. DNS queries can be made using UDP (default) or TCP.

Enumeration Techniques:

  1. Banner Grabbing:

    • Use nc or nmap to grab the DNS banner and version information. Example:

      nc -vn <IP> 53
nmap -sV -p53 <IP>  # Grabbing DNS version if available

  2. DNS Query for Version Information:

    • Query the DNS server to check for version information or errors. Example:

      dig -x <IP>  # Reverse lookup for version info

  3. DNS Zone Transfer:

    • Attempt a DNS zone transfer (AXFR) to gather the entire DNS zone (if misconfigured). Example:

      dig axfr @<IP> <domain>

  4. Unauthenticated Enumeration with Nmap:

    • Use nmap to detect DNS service versions and perform general enumeration. Example:

      sudo nmap -sV -p53 -sC -A <IP>

  5. DNS Brute Force:

    • Use dnsenum or fierce to enumerate DNS records or perform subdomain enumeration. Example with dnsenum:

      dnsenum <domain>

      Example with fierce:

      fierce -dns <domain>

  6. Check for DNS Cache Snooping:

    • Check if a DNS server allows you to snoop on its cache and reveal domain names it has recently resolved. Example:

      dig @<IP> <domain> +noall +answer

  7. Check for Open Recursive DNS Server:

    • Test if the DNS server is open for recursive queries, which could allow misuse in DDoS amplification attacks. Example:

      dig @<IP> <random_domain>

  8. DNS Amplification Attack:

    • If the DNS server is open for recursion, it could be used in a DDoS amplification attack. Example:

      dig @<IP> <large_domain> any

  9. DNS Query for Specific Records:

    • Query for specific DNS records such as MX, NS, and TXT to gather more information about the domain and its infrastructure. Example:

      dig @<IP> <domain> MX  # Mail servers
dig @<IP> <domain> NS  # Name servers
dig @<IP> <domain> TXT # Text records

  10. DNS Reverse Lookup:

    • Perform a reverse lookup to obtain the domain name associated with a given IP address. Example:

      dig -x <IP>

  11. Automated Checks with Nmap Scripts:

    • Use nmap scripts for DNS enumeration and vulnerability scanning. Example:

      nmap --script=dns-* -p 53 <IP>

  12. Check for DNSSEC (DNS Security Extensions):

    • Verify whether DNSSEC is implemented to secure DNS data integrity and prevent spoofing. Example:

      dig @<IP> +dnssec <domain>

Useful Tools for Scanning:

  • Nmap: For version detection, script scanning, and DNS enumeration.

  • dig: For querying DNS records and performing reverse lookups.

  • dnsenum: For brute-forcing and DNS enumeration.

  • fierce: For DNS reconnaissance and subdomain enumeration.

  • dnspython: A library for programmatically querying and manipulating DNS records.

PreviousServicesNextFTP 21

Last updated