# 53 - DNS

## <mark style="color:red;">TCP and UDP</mark> <a href="#tcp-and-udp" id="tcp-and-udp"></a>

By default, DNS uses UDP on port 53 to serve requests. When the size of the request, or the response, exceeds the single packet size of 512 bytes, the query is re-sent using TCP. Multiple records responses, IPv6 responses, big TXT records, DNSSEC responses, and **zone transfers** are some examples of these requests.

{% hint style="info" %}
Note: When DNS is running on TCP, it is worth checking if [zone trasfer ](#zone-transfer)is enabled.
{% endhint %}

## <mark style="color:red;">Banner Grabbing</mark> <a href="#banner-grabbing" id="banner-grabbing"></a>

DNS does not provide an information banner *per se* but BIND DNS exposes its version by default.

Note: The `version.bind` directive is stored under the `options` section in the `/etc/named.conf` configuration file.

**dig**

```sh
dig version.bind CHAOS TXT @10.0.0.3
```

[**dns-nsid**](https://nmap.org/nsedoc/scripts/dns-nsid.html) **NSE Script**

```sh
nmap -sV --script dns-nsid -p53 -Pn 10.0.0.3
```

## <mark style="color:red;">DNS Enumeration</mark>

```bash
whois <RHOST>
host <RHOST> <RHOST>
host -l <RHOST> <RHOST>
dig @<RHOST> -x <RHOST>
dig {a|txt|ns|mx} <RHOST>
dig {a|txt|ns|mx} <RHOST> @ns1.<RHOST>
dig axfr @<RHOST> <RHOST>    # zone transfer
```

fuff

```bash
ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185
```

gobuster

```bash
gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
```

wfuzz

```bash
wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<RHOST>" --hc 200 --hw 356 -t 100 <RHOST>
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ.<RHOST>" --filter "r.headers.response~'Access-Control-Allow-Origin'" http://<RHOST>/
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -t 100
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> --hw <value> -t 100
```

## <mark style="color:red;">Zone Transfer</mark> <a href="#zone-transfer" id="zone-transfer"></a>

DNS reconnaissance is an extremely useful tool during the information gathering stage as it can provide valuable insights into the domain and infrastructure. However, it can also uncover new attack vectors, such as when Virtual Routing is enabled.&#x20;

One method of DNS reconnaissance is through a zone transfer, which involves a Master DNS server copying a zone to another DNS server, typically a Slave server. Although these transfers are ideally restricted to specific IPs, misconfigured servers sometimes allow anyone to request them.

#### dig <a href="#dig-1" id="dig-1"></a>

```sh
dig axfr @10.0.0.3 domain
```

<details>

<summary>Parameters</summary>

* `axfr`: initiate an *AXFR* zone transfer query.
* `@10.0.0.3`: name or IP of the server to query.
* `domain`: name of the resource record that is to be looked up.

</details>

{% hint style="info" %}
Note: It is worth trying to initiate a zone transfer without a domain.
{% endhint %}

## <mark style="color:red;">Configuration files</mark> <a href="#configuration-files" id="configuration-files"></a>

Examine configuration files:

```
host.conf
resolv.conf
named.conf
```