DNS Enumeration

 

The significant source of information for us is the DNS or Domaine Name Server. It's known as phonebook of the internet. Like we can get phone numbers by searching our phonebooks. similarly DNS look for computer name (Domain name) to get the IP address for connecting with internet. DNS is generally used for resolving the computer name into the IP address. The components of DNS are :

• Name Server
• Zones
• IP address 
• Domain name

Domain structure looks like this.

every domain have to two part. first top level domain and domain name. here you can see that .net, .com, .org, .io these are the top level domain and in the left side part is second level domain then like www, mail, dev this are sub-domain and then you see more this are host.

The DNS servers are divided into four type: 

• Recursive resolver (DNS Recurse): This is work look like a agent between server and clients. first it received a query request from web client then it send to the root name server when he receive a response from the authoritive name server with IP address than it send to the client a response . 
• Root Name Server: Thirteen root name servers can be reached under IPv4 and IPv6 addresses. An international non-profit organization maintains these root name servers called the Internet Corporation for Assigned Names and Numbers (ICANN). The zone files of these contain all domain names and IP addresses of the TLDs. Every recursive resolver knows these 13 root name servers. These are the first stations in the search for DNS entries for each recursive resolver. 
• TLD: A TLD name server manages the information on all domain names that have the same TLD. These TLD name servers are the responsibility of the Internet Assigned Numbers Authority (IANA) and are managed by it. This means that all domains under the TLD ".com" are managed by the corresponding TLD name server.
• Authoritive Name Server: Authoritative name servers store DNS record information for domains. These servers are responsible for providing answers to requests from name servers with the IP address and other DNS entries for a web page so the web page can be addressed and accessed by the client

                                  DNS Records & Queries 

DNS works with many different records. DNS records are instructions that are located on authoritative DNS servers and contain information about a domain. These entries are written in the DNS syntax that gives the DNS servers the appropriate instructions. Here are the most common DNS records that we will come across during our Penetration Tests:

• A : IP version IPv4 address records.
• AAAA: IPv6 address records.
• CNAME: Canonical Name records.
• HINFO: Host information record.
• ISDN: Integrated Services Digital Network record.
• MX: mail exchange records.
• NS; Name server records 
• PTR: Reverse -lookup pointer records.
• SOA: Start of Authority record.
• TXT: text records.

                                               DNS Enumeration 

As with any service we work with and want to find out information, it is essential to understand how DNS works to create a clear structure with the appropriate information. Since DNS can provide much information about the company's infrastructure, we can divide this information into the following categories:

• DNS Records
• Subdomain's /Host
• DNS Security.

                                                       Subdomain's /Host

A subdomain is a prefix added to a primary domain to create a separate section of a website. For example, in blog.example.com, blog is the subdomain of example.com. Subdomains are often used to organize different areas of a website, such as blogs, stores, or support pages.

A host refers to a specific machine or server that provides services on a network. In the context of domains, a hostname is the unique identifier assigned to a device within a network. For example, server1.example.com could be a hostname for a particular server.

now how we could find out subs domain. there are many ways to find out subs domain. one effective way is sub finder. it's gathers subdomains from different sources. see the following pictures. as you can see it's collect all the subs domain. 

                                                             DNS Security

DNS security is crucial for protecting the integrity and availability of the Domain Name System (DNS), which translates domain names into IP addresses. Since DNS was not originally designed with security in mind, attackers often exploit its vulnerabilities.

Common DNS Threats:

• DNS Spoofing (Cache Poisoning): Attackers inject false DNS data into a resolver’s cache, redirecting users to malicious sites.
• DNS Hijacking: Cybercriminals modify DNS settings to reroute traffic to fraudulent websites.
• NXDOMAIN Attacks: Flooding a DNS server with requests for non-existent domains, causing service disruptions.
• DNS Tunneling: Using DNS queries to secretly transmit malware or exfiltrate data.
• DNS Amplification Attacks: Exploiting open DNS resolvers to magnify DDoS attacks.

How to Enhance DNS Security:

• Use DNSSEC (Domain Name System Security Extensions): Adds cryptographic signatures to DNS records to prevent tampering.
• Implement Redundant DNS Servers: Ensures availability even if one server is compromised.
• Enable DNS Filtering: Blocks access to malicious domains.
• Monitor DNS Logs: Helps detect suspicious activity.
• Use Secure DNS Protocols: Such as DoH (DNS over HTTPS) and DoT (DNS over TLS) to encrypt DNS queries.

There is a variety of techniques that can be used for this. These include:

• OSINT
• Certificate Transparency 
• Zone Transfer

*OSINT is a open source and publicly available resources. we can also used search engines like Google, Bing, yahoo , Google dork for filter the results. Also, we can use public services such as VirusTotal, DNSdumpster, Netcraft, and others to read known entries for the corresponding domain. We can use "Right-Click on the image -> View Image" to make it bigger.

               Certificate Transparency

Certificate Transparency (CT) logs contain all certificates issued by a participating Certificate Authority (CA) for a specific domain. Therefore, SSL/TLS certificates from web servers include domain names, subdomain names, and email addresses. Since these logs are public and accessible to everyone, it is a valuable source for understanding the target company's infrastructure better. We can use a tool that outputs all the CT logs for our target domain from different sources and filtered is ctfr.py.

                          Zone Transfer

Zone transfer in DNS refers to the transfer of zones to other DNS servers. This procedure is called the Asynchronous Full Transfer Zone (AXFR), as we have already learned. Since a DNS failure usually has severe consequences for a company, the zone files are almost without exception kept identical on several name servers.