This is more of a follow up to the previous thread about DNS Zone Transfers.

Not an indepth post, but should give you some ideas how to use DNS servers for your informations gain. Using *nix commands, but windows users can find alternatives, DNS is cross platform

Using a program called dig, im going to give you a couple pointers to get some valuable information from the DNS servers.

Basic usage:



(from now on i will be grep-ing out the important information, dig by itself is very verberos)

That command used my local DNS server to lookup the IP of google.com. [NOTE] NS Records, are Name Servers - or IP's - responsible for that domain name, usually atleast 2 for every domain-name. In the end, if i wanted to contact google.com i'd be using the IP 216.239.57.99. Becuase of the A Record, which are alias's - simple name to ip converstion.

Here i can actually use Google's DNS server to lookup google.com



Not a great example for use of grep, but you get the idea. It resolves to the same IP but this time I used their DNS server.

This can be used because, sometimes DNS servers see the Internal Network and the External Network. So query-ing that DNS will often produce extra results.

Another example of dig usage is selecting the Record Types. For example, what happens if I wanted to know the domains primary mail server ? I would request, instead of the default A record - or automated NS record - I want the MX Record.



And there we go, if we needed to send an email, or had a exploit for an email server and wanted to know that domains server, there it is. Simple asking for the MX Record Type. Also, a less trivial is the Reverse Lookup DB, or the PTR Record Types but using the switch '-t PTR <IP>'

As shown in the previous thread with the client host, here I will also demonstrate the same method, but also using dig because it has all our DNS needs.

As mentioned in the previous thread, about my friends DNS server, what I dont think I said was only one of his DNS servers was actually vulnerable. Using the output of host, i could tell which one it was. Anyway, using dig as shown below im sending the srvr.weak.dns server a DNS Zone Transfer Request or an AXFR record query regarding the weak.dns domain.



http://www.governmentsecurity.org/forum/in...showtopic=15240

If a successful transfer is made, and the DNS knew about the internal networks, you will recieve a complete list of every computer that DNS Server knows about, and makes planning complex attacks so much easier...

Another tip is for getting the version of bind they are running, as described by whiskah Click Here to Scroll Down

Also great for pen-test as others have mentioned. Secure Your DNS.

not bad, finding higher efficiency in the programs you already know and love.

Great howto! I suggest everyone who manages a network to do this to their own internal DNS servers and restrict transfer requests to only trusted systems (i.e., not users). One of my pen test tools is to scan internal and external DNS for juicy tidbits. Very surpising what you find in there sometimes.

--P>G>>

I would like to add something to this post..
Determining BIND Version using DIG..As you can see from the result the BIND version is 9.2.5