Show Menu
Cheatography

DNS Cheat Sheet (DRAFT) by

DNS information and useful tools

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Author

Created by Johnnyinc

CompTIA Security+

EC-Council CEH

ISC2 SSCP

Definition

The Domain Name System (DNS) is a hierar­chical distri­buted naming system for computers, services, or any resource connected to the Internet or a private network. It associates various inform­ation with domain names assigned to each of the partic­ipating entities. Most promin­ently, it translates easily memorized domain names to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. The Domain Name System is an essential component of the functi­onality of the Internet

DNS uses UDP port 53

www.ex­amp­le.com. => 93.184.21­6.119

Elements of the name:
- dot: at the end is the root [first zone]
- com: top level domain [TLD] [second zone]
- example: domain [third zone]
- www: subdomain [forth zone]

Subdomains examples:
- www.ex­amp­le.c­om:80
- smtp.e­xam­ple.com:25
- pop.ex­amp­le.c­om:110
- imap.e­xam­ple.co­m:143
- irc.ex­amp­le.c­om­:6669

DNS records

A: ipv4 address [www.ex­amp­le.c­om:80]

AAAA: ipv6 address [www.ex­amp­le.c­om:80]

MX: mail exchanger [smtp.e­xam­ple.com:25]

CNAME: alias resolves to another domain name [irc.ex­amp­le.c­om­:6669]

TXT: text [darkne­t.e­xam­ple.co­m:1337]

NS: name server [ns1.ex­amp­le.com]

ANY: any record type that exists for the subject of the query

HINFO: host inform­ation. Inform­ation about the CPU type and operating system of subject of the query

WKS: well-known services or applic­ations available on this host

PTR: pointer record. Returns a host name for an IP address

SOA: start of Authority record

SRV: service record is a specif­ication of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services

Useful

Zone Transfers
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transa­ction. It is one of the many mechanisms available for admini­str­ators to replicate DNS databases across a set of DNS servers. Zone transfer comes in two flavors, full (AXFR) and increm­ental (IXFR).

Cache Snooping
DNS cache snooping is when someone queries a DNS server in order to find out (snoop) if the DNS server has a specific DNS record cached, and thereby deduce if the DNS server's owner (or its users) have recently visited a specific site.
This may reveal inform­ation about the DNS server's owner, such as what vendor, bank, service provider, etc. they use. Especially if this is confirmed (snooped) multiple times over a period. This method could even be used to gather statis­tical inform­ation - for example at what time does the DNS server's owner typically access his net bank etc. The cached DNS record's remaining TTL value can provide very accurate data for this. Great for determ­ining relations and outside services used that can be leveraged in Phising attempts

whois

Checks inform­ation about ownership of a domain name
$ whois [domain] - querying databases that store the registered users or assignees, such as a domain name, an IP addresses

Example:
$ whois hackme.com
Domain Name: HACKME.COM
Registrar: UNIREG­ISTRAR CORP
Sponsoring Registrar IANA ID: 1659
Whois Server: whois.u­ni­reg­ist­rar.com
Referral URL: http:/­/ww­w.u­nir­egi­str­ar.com
Name Server: NS1.HO­STI­NGN­ET.COM
Name Server: NS2.HO­STI­NGN­ET.COM
Status: client­Del­ete­Pro­hibited http:/­/ww­w.i­can­n.o­rg/­epp­#cl­ien­tDe­let­ePr­ohi­bited`
Status: client­Tra­nsf­erP­roh­ibited http:/­/ww­w.i­can­n.o­rg/­epp­#cl­ien­tTr­ans­fer­Pro­hib­ited`
Status: client­Upd­ate­Pro­hibited http:/­/ww­w.i­can­n.o­rg/­epp­#cl­ien­tUp­dat­ePr­ohi­bited`
Updated Date: 02-dec­-2014
Creation Date: 06-jun­-2003
Expiration Date: 06-jun­-2017

host

Query the DNS server
$ host [domain] - query dns server for domain
$ host [ip_ad­dress] - reverse dns lookup
$ host -t [DNS_r­ecord] [domain] - query dns for given DNS record
$ host -l [domain] - zone transfer using AXFR

Example
$ host hack.com
hack.com has address 23.21.2­24.150
hack.com mail is handled by 1000 0.0.0.0.h­ack.com.
======­===­===­===­===­===­======
$ host -t A hack.com
hack.com has address 23.21.2­24.150
======­===­===­===­===­===­======
$ host -t AAAA hack.com
hack.com has no AAAA record
======­===­===­===­===­===­======
$ host -t MX hack.com
hack.com mail is handled by 1000 0.0.0.0.h­ack.com.
======­===­===­===­===­===­======
$ host -t SOA hack.com
hack.com has SOA record ns1.di­gim­edi­a.com. dns.di­gim­edi­a.com. 2014090503 10800 3600 604800 3600
======­===­===­===­===­===­======
$ host -t PTR 23.21.2­24.150
150.22­4.2­1.2­3.i­n-a­ddr.arpa domain name pointer ec2-23­-21­-22­4-1­50.c­om­put­e-1.am­azo­naw­s.com.
 

Name Servers

Author­ita­tive: An author­itative name server provides actual answer to your DNS queries such as – mail server IP address or web site IP address (A resource record). It provides original and definitive answers to DNS queries. It does not provides just cached answers that were obtained from another name server. Therefore it only returns answers to queries about domain names that are installed in its config­uration system. There are two types of Author­itative Name Servers:
- Master server (primary name server): A master server stores the original master copies of all zone records. A hostmaster only make changes to master server zone records. Each slave server gets updates via special automatic updating mechanism of the DNS protocol. All slave servers maintain an identical copy of the master records
- Slave server (secondary name server): A slave server is exact replica of master server. It is used to share DNS server load and to improve DNS zone availa­bility in case master server fails. It is recommend that you should at least have 2 slave servers and one master server for each domain name

Recursive: A recursive nameserver is one that answers queries by asking other namese­rvers for the answer. It will satisfy queries from cache if possible, but otherwise it traverses the Internet (or private) namespace tree, from the root level if necessary, repeatedly asking the query on behalf of its client and following referrals from author­itative servers until it finds one that provides the answer(s) that it can return to its client

Caching: Caching name servers (DNS caches) store DNS query results for a period of time determined in the config­uration (time-­to-­live) of each domain­-name record. DNS caches improve the efficiency of the DNS by reducing DNS traffic across the Internet, and by reducing load on author­itative name-s­ervers, partic­ularly root name-s­ervers. Because they can answer questions more quickly, they also increase the perfor­mance of end-user applic­ations that use the DNS. Recursive name servers resolve any query they receive, even if they are not author­itative for the question being asked, by consulting the server or servers that are author­itative for the question. Caching name servers are often also recursive name server­s—they perform every step necessary to answer any DNS query they receive

nslookup

Query the DNS server
$ nslookup - brings the intera­ctive mode
$ > [domain] - query dns server for domain
$ > [ip_ad­dress] - reverse dns lookup
$ > server [ip_ad­dress or domain] - change the default (current) DNS server to ip_address or domain
$ > set root=d­nss­erver - makes the root DNS server the default DNS server for the query session
$ > domain dnssever - show the IP address of the host domain, but query dnsserver for the inform­ation
$ > set type=x - determines the type of DNS record that the DNS server will use to answer the query (x = DNS record type)
$ > set recursive - query other DNS servers if the default server does not have the inform­ation
$ > ls -a domain - list all canonical (true) names and aliases in domain
$ > ls -h domain - list HINFO (CPU type and operating system) for domain
$ > ls -s domain - list the well-known services available on domain
$ > ls -d domain - list all available records for domain. Includes all DNS record types
$ > ls -t [type] domain - list all DNS TYPE records for domain
$ > exit - quit the intera­ctive mode

Example
$ nslookup
$ > server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
$ > hack.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-au­tho­rit­ative answer:
Name: hack.com
Address: 23.21.2­24.150
$ > 23.21.2­24.150
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-au­tho­rit­ative answer:
150.22­4.2­1.2­3.i­n-a­ddr.arpa name = ec2-23­-21­-22­4-1­50.c­om­put­e-1.am­azo­naw­s.com.

Author­itative answers can be found from:
 

dig

Query the DNS server
$ dig [domain] - query dns server for name
$ dig +nocmd [domain] - drops dig version from query output
$ dig +nocom­ments [domain] - drops the question and answer section from query output
$ dig +noque­stion [domain] - drops the question from the query output
$ dig +noanswer [domain] - drops the answer from the query output
$ dig +noaut­hority [domain] - drops the inform­ation of author­itative dns from the query output
$ dig +noadd­itional [domain] - drops additional inform­ation from query output
$ dig +nostat [domain] - drops statistics from query output
$ dig +short [domain] - short form of query output
$ dig [DNS_r­ecord] [domain] - query dns for given DNS record
$ dig [domain] AXFR - zone transfer
$ dig -x [ip_ad­dres] - reverse dns lookup
$ dig @names­erver [domain] - query different name server
$ dig +search [domain] - uses dns servers from /etc/r­eso­lv.conf
$ dig -f /path/­to/file - query for hosts specified in the file
$ dig +noall - set or clear all display flags

Example
$ dig @8.8.8.8 hack.com
; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 hackme.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>­HEA­DER­<<- opcode: QUERY, status: NOERROR, id: 39044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITI­ONAL: 0

;; QUESTION SECTION:
;hackm­e.com. IN A

;; ANSWER SECTION:
hackme.com. 299 IN A 69.172.20­1.208

;; Query time: 91 msec
;; SERVER: 8.8.8.8­#5­3(8.8.8.8)
;; WHEN: Thu Mar 12 21:50:25 2015
;; MSG SIZE rcvd: 44
======­===­===­===­===­===­======
$ dig @8.8.8.8 +short hack.com
69.172.20­1.208

fierce

Fierce is a semi-l­igh­tweight scanner that helps locate non-co­nti­guous IP space and hostnames against specified domains. It is meant specif­ically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-co­nfi­gured networks that leak internal address space. That's especially useful in targeted malware