DNS is like a telephone directory containing names, addresses, and telephone numbers. DNS is used on networks—both the internal networks of organizations and external networks across the internet. The DNS protocol is used to resolve hostnames (domain names) to IP addresses.
Before DNS, each computer contained a hosts file located in the C:WindowsSystem32driversetc directory. This file needed to be updated frequently to ensure that users were able to reach various websites or servers by specifying their hostnames or domain names. If the hosts file was not present, a user needed to specify the IP address of the server they would like to visit.
All devices on a network have an assigned IP address. Remembering all of the IP addresses for each server or website you want to visit would be quite challenging. If the hosts file doesn't contain the most up-to-date records of new servers and websites, the user would have difficulty in reaching their destination.
The following screenshot shows current entries within the hosts file of a Windows operating system:
DNS helps us to avoid depending on the hosts file. Many popular internet companies, such as Cisco, Google, and Cloudflare, have established public DNS servers that contain records of almost every domain name on the internet. To elaborate further, let's use a simple example to help you to understand how DNS works.
Imagine you would like to visit a website, such as www.example.com:
- Whenever a computer or device needs to resolve a hostname to an IP address, it sends a DNS query message to its DNS server, as indicated in Step 1 in the following screenshot.
- The DNS server will check its records and respond with a DNS reply providing the client computer with the IP address of the domain, as displayed in Step 2 in the following screenshot.
- Finally, the client receives the IP address and establishes a session between itself and the www.example.com domain, as shown in the following screenshot:
There are many public DNS servers on the internet; some are malicious in nature, capturing your DNS information and redirecting you to harmful websites and domains. As a result, I recommend using a trusted DNS provider on all of your networking devices and computers to improve your online safety. The following are some popular DNS servers on the internet:
- Cloudflare DNS: https://1.1.1.1/
- Google Public DNS: https://developers.google.com/speed/public-dns/
- Cisco OpenDNS: https://www.opendns.com/
Additionally, DNS servers not only resolve a hostname to an IP address, they also contain various records that are used for various types of resolution.
The following are the different record types:
An example of the A record type would be mapping the hostname of www.example.com to the IPv4 address 93.184.216.34; the AAAA record of the same hostname would contain the IPv6 address 2606:2800:220:1:248:1893:25c8:1946, and so on.
DNS enumeration is the technique of probing specific DNS records for a specific organization's domain. In other words, we ask a DNS server about the IP addresses and server names for a target organization. Additionally, we attempt to perform a DNS zone transfer. A DNS zone transfer would allow the zone file to be copied from a master DNS server to another DNS server, such as a secondary DNS server.
However, DNS server administrators sometimes forget to apply security controls to prevent the copying of zone files to unauthorized servers. A successful DNS zone transfer can lead to a penetration tester obtaining the corporate network layout. In a worst-case scenario (for a targeted organization, that is), an organization may not separate the internal and external namespaces on their DNS servers. Such misconfigurations can lead to someone obtaining such information for malicious purposes.
In the following exercises, we are going to attempt the extraction of various DNS records for a given domain:
- DNS enumeration
- DNS zone transfer
- Using the host utility to perform DNS analysis
- DNS interrogation using Fierce
Let's dive in and have some fun with DNS and Kali Linux!