Pentesting DNS

OSI Layer 7

DNS listens on UDP/53 (for lookups) and TCP/53 for zone transfers. To reduce the risk of an unauthorised zone transfer and as part of a defense-in-depth approach, it is advised to limit access to TCP/53 only to trusted hosts to reduce the overall attack surface unless specifically required.

DNS Testing Methodology

Perform a DNS brute force hostname and subdomain lookup

Are there any records that point to non-existent IP addresses or CNAME records? Redundant records could be used by a bad actor if they managed to gain access to one of those IP addresses which could include phishing attacks, data exfiltration and impersonation.

Is there a SPF TXT record defined? And is the SPF record too wide (i.e. includes hosts not owned or used by the domain owner). This also indicates the IP addresses of outbound SMTP servers used by the target domain.

• Is a zone transfer possible?
• Check for typographical errors within the DNS records – i.e. anything that looks mistyped.
• Check CNAME records that are maintained by a provider not under control of the domain owner.
• Does target domain support any query type? If yes, the server is open to a potential DNS amplification attack.
• Check all discovered records for ‘dangling entries’, which is where a DNS record points to a host / IP address which no longer exists. If a bad actor could gain control of that host / IP address, then the DNS could be misused. Is it possible for the owner of the DNS zones under test to export the entire zone with you, so you can assess each record? Records of interest would be NS, A, CNAME and MX.
• Is a dynamic DNS registration possible?

Testing for DNS services. Note: DNS uses TCP/53 for zone transfers.

sudo nmap -sTUVC -p53 208.67.222.222        

?

?DNS Server Enumeration

Enumerate DNS server software using DIG (ineffective when targeting Microsoft DNS server).

dig version.bind CHAOS TXT @192.168.1.196        

Enumerate DNS server version using Nmap. Note: Microsoft DNS appears to be reported as Simple DNS Plus.

sudo nmap -sCVUT -p53 192.168.1.196        

Does DNS Server support recursive queries?

dig @192.168.1.196 www.isc.org. A +dnssec +multiline        

Is a zone transfer possible for a domain? In this example we are querying against 192.168.1.196 if a zone named zonetransfer.me permits zone transfers.

dnsrecon -d zonetransfer.me --name_server 192.168.1.196 -t axfr

Or

fierce --dns-servers 192.168.1.192 --domain zonetransfer.me        

Dynamic DNS registration. Can I register a DNS A record from my untrusted host to perform an unauthenticated dynamic DNS record injection using Metasploit?

msfconsole
use admin/dns/dyn_dns_update
set ACTION ADD
set RHOSTS 10.0.0.5
set DOMAIN example.com
set HOSTNAME my-test-hostname
set IP 10.66.66.66
exploit

and to test afterwards
nslookup
set type=A
server 10.0.0.5
my-test-hostname.example.com

We can remove the newly created entry to cover our tracks after our good work;
msfconsole
use admin/dns/dyn_dns_update
set ACTION DELETE
set RHOSTS 10.0.0.5
set DOMAIN example.com
set HOSTNAME my-test-hostname
set IP 10.66.66.66
exploit        

For a much greater list of DNS testing methods and tools, along with many other network protocols, take a look at my book https://www.amazon.co.uk/Network-Protocol-Testing-Made-Simple/dp/B0D1KYKVHJ