53 - Pentesting DNS

# Query BIND version
dig version.bind CHAOS TXT @DNS

# Fingerprint with fpdns
fpdns <IP>

# Nmap
nmap -n --script dns-nsid <IP>

dig any victim.com @<DNS_IP>

dig axfr @<DNS_IP>                # Without domain
dig axfr @<DNS_IP> <DOMAIN>      # With domain
fierce --domain <DOMAIN> --dns-servers <DNS_IP>

dig ANY @<DNS_IP> <DOMAIN>     # Any information
dig A @<DNS_IP> <DOMAIN>       # IPv4 address
dig AAAA @<DNS_IP> <DOMAIN>    # IPv6 address
dig TXT @<DNS_IP> <DOMAIN>     # Text records (SPF, DKIM, etc.)
dig MX @<DNS_IP> <DOMAIN>      # Mail servers
dig NS @<DNS_IP> <DOMAIN>      # Nameservers
dig -x 192.168.0.2 @<DNS_IP>   # Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP>  # Reverse IPv6

dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com
nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN>
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"

dnsenum --dnsserver <IP_DNS> --enum -p 0 -s 0 -o subdomains.txt \
  -f subdomains-1000.txt <DOMAIN>

dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>

dnscan -d <domain> -r -w subdomains-1000.txt

# Loop-based brute force
for sub in $(cat <WORDLIST>); do \
  dig $sub.<DOMAIN> @<DNS_IP> | grep -v ';\|SOA' | \
  sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt; \
done

# With dnsenum
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt \
  -f wordlist.txt <DOMAIN>

nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

dnsrecon -r 127.0.0.0/24 -n <IP_DNS>   # Reverse lookup subnet
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>
dnsrecon -d active.htb -a -n <IP_DNS>  # Zone transfer

# DNSSEC enumeration
nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info

# Check DNSSEC records
dig example.com DNSKEY +dnssec
dig example.com DS +short
dig example.com CDS +short

dnsdict6 -s -t <domain>          # AAAA brute force
dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48  # Reverse IPv6

# Check if recursion is available
dig google.com A @<IP>
# Look for 'ra' (recursion available) flag in response

dig example.com NS +short
for ns in $(dig +short example.com NS); do \
  dig @${ns%?} example.com SOA +short; \
done
# Lame delegation: NS doesn't answer authoritatively

dig example.com A +ttlid
dig example.com MX +ttlid
# TTL < 300 on critical records = faster rollout of malicious changes

dig example.com CAA +short
# issue/issuewild with "any" is overly permissive

/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*