Notes
| Alternative Ports |
|---|
| 53 TCP (rare) |
| 53 UDP (default) |
Service Description
DNS (Domain Name System) is used to translate human-friendly domain names into IP addresses. While most DNS queries are over UDP, TCP is used for zone transfers (AXFR/IXFR), DNSSEC, and when UDP responses exceed size limits.
- DNS Root Servers: At the top of the DNS hierarchy. Governed by ICANN. 13 global logical servers.
- Authoritative Nameservers: Provide final answers for queries in their zones.
- Non-authoritative Nameservers: Relay info learned from authoritative sources.
- Caching DNS Server: Stores query results temporarily to reduce load/time.
- Forwarding Server: Forwards queries to an upstream resolver.
- Resolver: Local stub that initiates and processes DNS queries.
Misconfigured TCP-based DNS can allow full zone transfer (AXFR), revealing complete internal record data.
Attacks
Zone Transfer (AXFR)
TCP-only attack where unauthenticated DNS servers expose full domain info.
DNS Tunneling / Exfil
Stable channel for data exfiltration via tools like iodine, dnscat2, or dnscapy.
Firewall Bypass
TCP/53 is sometimes allowed where HTTP/S isn’t. Can be abused for covert C2 channels.
Poisoning (via weak recursion and cache)
If recursion is enabled improperly, cache poisoning attacks may be possible.
Tools & Exploits
Enumeration
amass
amass enum -d target.com -o $outfiledig
# Basic
dig domain.com
# NS Records
dig -t NS domain.com
# ANY Record
dig -t ANY domain.com
# Reverse lookup
dig -x 192.168.1.1
# Zone transfer attempt (TCP)
dig AXFR domain.com @nameserver.com +tcp
dig bank.local axfr @10.10.10.10 +tcp
# Batch
dig -f domains.txtdnsrecon
dnsrecon -d domain.com -t axfr -n <target>dnsenum
dnsenum domain.com -f wordlist.txtnmap
nmap -sT -p53 --script=dns-zone-transfer,dns-recursion,dns-nsid <target>
nmap 10.10.10.10 -n --script *dns*host
host -t ns domain.com
host -t a domain.com
host -l domain.com ns1.domain.comnslookup
nslookup
> server <nameserver>
> set type=mx
> domain.commetasploit
use auxiliary/gather/enum_dnssublist3r
sublist3r -b -d domain.com -o $outfileSubBrute
python subbrute.py domain.comknock.py
git clone https://github.com/guelfoweb/knock.git
python knockpy.py domain.comtheharvester
theharvester -d target.com -b allwhois
whois domain.comdnsutils
apt install dnsutils -ydiscover Checks ARIN, dnsrecon, goofile, theHarvester, recon-ng, etc.
git clone https://github.com/leebaird/discoverExploitation or Post-Enum
Extract Zone Data (AXFR)
dig AXFR domain.com @dns-server +tcpProvides full list of records: A, AAAA, CNAME, MX, TXT, SRV, etc.
DNS Tunneling
# iodine server:
sudo iodine -f -P password 10.0.0.1 tunnel.domain.com
# dnscat2 server:
ruby ./dnscat2.rbFirewall Evasion
- If TCP/53 is allowed out, tunnel or beacon over DNS instead of blocked ports.
DNS Rebind Attack
- Use special DNS servers (e.g.
singularityorrebind) to force IP changes across requests to bypass same-origin policies. - Often used against internal web interfaces by causing victim browser to talk to LAN IPs via public DNS.
Wireshark Analysis Tips
Filters
tcp.port == 53
dnsWhat to look for:
AXFRorIXFRquery types- Large or slow DNS responses
- Non-standard record abuse (e.g. data in TXT records)
References
- https://book.hacktricks.wiki/network-services-pentesting/dns-pentesting
- https://nmap.org/nsedoc/scripts/dns-zone-transfer.html
- https://github.com/darkoperator/dnsrecon
- https://github.com/fwaeytens/dnsenum
- https://github.com/aboul3la/Sublist3r
- https://github.com/leebaird/discover
- https://github.com/guelfoweb/knock
- https://github.com/rebind/Rebind
- https://github.com/iagox86/dnscat2
- https://github.com/yarrick/iodine