This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

DNS

What is DNS?

The Domain Name System (DNS) is a distributed database responsible for translating user friendly domain names into IP addresses.

DNS Records

Each domain can use different types of DNS records, check the table below:

Record
Function

A

A record, Contains the IPv4 address of a hostname such as scanme.nmap.org

AAAA

Also known as quad a record, contains the IPv6 address of a hostname such as scanme.nmap.org

NS

Nameserver record, contains the name of the authoritative servers hosting the DNS records for a domain

MX

Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.

PTR

Pointer Records are used in reverse lookup zones and can find the records associated with an IP address.

CNAME

Canonical Name Records are used to create aliases for other host records.

TXT

Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification.

Authoritative Servers

Think of it like I am storing the name of your domain and data like the IPv4 (A record) on my server, in this case because my server is carrying this information then it is an Authoritative Server for your domain.

DNS Enumeration

For this section we will be using scanme.nmap.org and google.com for testing, we will be using both windows and kali linux tools to perform the enumeration.

Linux

Using 'host' Command

  • Default 

host google.com
google.com has address 142.251.37.46
google.com has IPv6 address 2a00:1450:4006:810::200e
google.com mail is handled by 10 smtp.google.com.
google.com has HTTP service bindings 1 . alpn="h2,h3"

  • With options

host -t ns google.com  # -t Option is used to specify a record type
google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns3.google.com.
google.com name server ns4.google.com.

Using 'dnsrecon' Command

  • Default

dnsrecon -d scanme.nmap.org # -d to specify a domain
[*] std: Performing General Enumeration against: scanme.nmap.org...
[-] DNSSEC is not configured for scanme.nmap.org
[*] 	 A scanme.nmap.org 45.33.32.156
[*] 	 AAAA scanme.nmap.org 2600:3c01::f03c:91ff:fe18:bb2f
[*] Enumerating SRV Records
[-] No SRV Records Found for scanme.nmap.org

  • With options

dnsrecon -d scanme.nmap.org -t std # -t here is to specify enumeration type (default)
[*] std: Performing General Enumeration against: scanme.nmap.org...
[-] DNSSEC is not configured for scanme.nmap.org
[*] 	 A scanme.nmap.org 45.33.32.156
[*] 	 AAAA scanme.nmap.org 2600:3c01::f03c:91ff:fe18:bb2f
[*] Enumerating SRV Records
[-] No SRV Records Found for scanme.nmap.org

Windows

Using 'nslookup' Command

  • Default

nslookup google.com
Server:  UnKnown
Address:  10.50.6.116

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4006:810::200e
          142.251.37.46

  • With options

nslookup -type=MX google.com
Server:  UnKnown
Address:  10.50.6.116

Non-authoritative answer:
google.com      MX preference = 10, mail exchanger = smtp.google.com
PreviousPort ScanningNextSMB

Last updated

Was this helpful?