DNS Deep Dive for Pentesters
TL;DR: DNS translates domain names to IP addresses. For pentesters, it’s a goldmine of reconnaissance data and a frequent attack target. Master DNS enumeration, zone transfers, and DNS-based attacks.
Table of Contents
Open Table of Contents
Quick Reference
Essential DNS Commands
| Command | Purpose | Example |
|---|---|---|
nslookup | Basic DNS queries | nslookup target.com |
dig | Advanced DNS queries | dig target.com ANY |
host | Simple DNS lookup | host -t mx target.com |
dnsrecon | DNS enumeration | dnsrecon -d target.com |
dnsenum | DNS brute forcing | dnsenum target.com |
fierce | DNS reconnaissance | fierce --domain target.com |
subfinder | Subdomain discovery | subfinder -d target.com |
amass | Comprehensive enum | amass enum -d target.com |
Common DNS Record Types
| Record | Purpose | Pentester Interest |
|---|---|---|
| A | IPv4 address | Target IPs |
| AAAA | IPv6 address | Additional attack surface |
| MX | Mail servers | Phishing targets, mail security |
| NS | Name servers | Zone transfer targets |
| TXT | Text records | SPF, DKIM, secrets |
| CNAME | Alias | Subdomain takeover |
| SOA | Zone authority | Zone info, admin email |
| PTR | Reverse DNS | IP-to-hostname mapping |
| SRV | Service records | Service discovery |
Common DNS Ports
| Port | Protocol | Service |
|---|---|---|
| 53 | UDP/TCP | Standard DNS |
| 853 | TCP | DNS over TLS (DoT) |
| 443 | TCP | DNS over HTTPS (DoH) |
| 5353 | UDP | mDNS (local network) |
Why DNS Matters for Pentesters
The First Step in Every Engagement
DNS is typically the first thing you query during reconnaissance. It reveals:
- Subdomains - Hidden applications, staging servers, admin panels
- Mail servers - Phishing targets, email security configuration
- Name servers - Potential zone transfer targets
- IP addresses - Infrastructure mapping
- TXT records - Sometimes contain secrets, API keys, or misconfigurations
- Cloud providers - CNAMEs often reveal AWS, Azure, GCP usage
Real-World Breaches Involving DNS
| Incident | DNS Role | Impact |
|---|---|---|
| MyEtherWallet (2018) | DNS hijacking via BGP | $17M cryptocurrency stolen |
| Twitter (2020) | DNS manipulation for SIM swap | High-profile accounts compromised |
| Sea Turtle Campaign | DNS registrar compromise | Government/military espionage |
| DNSpionage | DNS hijacking | Middle East organizations targeted |
How DNS Works
TL;DR: DNS is like a phone book for the internet - it translates human-readable names (google.com) to machine-readable IP addresses (142.250.80.46).
The DNS Hierarchy
┌─────────────────┐
│ Root Servers │ (.)
│ (13 clusters) │
└────────┬────────┘
│
┌──────────────┼──────────────┐
│ │ │
┌─────▼─────┐ ┌─────▼─────┐ ┌─────▼─────┐
│ .com │ │ .org │ │ .net │ TLD Servers
└─────┬─────┘ └───────────┘ └───────────┘
│
┌─────▼─────────────┐
│ example.com │ Authoritative NS
│ (Name Server) │
└─────┬─────────────┘
│
┌─────────┼─────────┐
│ │ │
┌───▼───┐ ┌───▼───┐ ┌───▼───┐
│ www │ │ mail │ │ api │ Individual Records
└───────┘ └───────┘ └───────┘Components of DNS
| Component | Role | Example |
|---|---|---|
| Stub Resolver | Your computer’s DNS client | Built into OS |
| Recursive Resolver | Queries on your behalf | 8.8.8.8, ISP DNS |
| Root Servers | Know TLD locations | 13 root server clusters |
| TLD Servers | Know authoritative NS | .com, .org, .net servers |
| Authoritative NS | Has actual records | ns1.example.com |
DNS Record Types
A Record (Address)
Maps hostname to IPv4 address.
example.com. IN A 93.184.216.34Pentester Use: Find target IP addresses, identify hosting providers.
Query Commands
# Using dig
dig example.com A
# Using nslookup
nslookup example.com
# Using host
host example.comExpected Output:
example.com. 300 IN A 93.184.216.34AAAA Record (IPv6 Address)
Maps hostname to IPv6 address.
example.com. IN AAAA 2606:2800:220:1:248:1893:25c8:1946Pentester Use: IPv6 addresses may have different firewall rules, additional attack surface.
Query Commands
# Using dig
dig example.com AAAA
# Check if IPv6 is configured
dig +short example.com AAAAMX Record (Mail Exchanger)
Specifies mail servers for a domain.
example.com. IN MX 10 mail.example.com.
example.com. IN MX 20 backup-mail.example.com.Pentester Use:
- Identify mail infrastructure
- Phishing target selection
- Check for email security (SPF, DMARC, DKIM)
Query Commands
# Get MX records
dig example.com MX
# Using host
host -t mx example.com
# Check mail server IPs
dig +short $(dig +short example.com MX | head -1 | awk '{print $2}')Expected Output:
example.com. 300 IN MX 10 mail.example.com.
example.com. 300 IN MX 20 mail2.example.com.NS Record (Name Server)
Specifies authoritative name servers.
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.Pentester Use:
- Zone transfer targets
- DNS infrastructure mapping
- Potential subdomain enumeration
Query Commands
# Get name servers
dig example.com NS
# Get name server IPs
dig +short ns1.example.comTXT Record (Text)
Holds arbitrary text data, often used for verification and email security.
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"
example.com. IN TXT "google-site-verification=abc123..."Pentester Use:
- SPF records reveal authorized mail senders
- Domain verification tokens (sometimes sensitive)
- Occasionally contain secrets or internal info
Query Commands
# Get all TXT records
dig example.com TXT
# Look for SPF
dig +short example.com TXT | grep spf
# Look for DMARC
dig +short _dmarc.example.com TXT
# Look for DKIM (need selector)
dig +short selector1._domainkey.example.com TXTExample Interesting Finds:
# Leaked internal info
"internal-api-key=sk_live_abc123..."
# Cloud verification
"aws-verification=abc123"
"MS=ms12345678"CNAME Record (Canonical Name)
Alias that points to another domain.
www.example.com. IN CNAME example.com.
blog.example.com. IN CNAME example.ghost.io.Pentester Use:
- Subdomain Takeover - If CNAME points to unclaimed resource
- Identify third-party services (CDNs, SaaS)
- Understand infrastructure relationships
Query Commands
# Check for CNAME
dig www.example.com CNAME
# Subdomain takeover check
dig blog.example.com CNAME
# If returns: blog.example.com. CNAME something.s3.amazonaws.com.
# And the S3 bucket doesn't exist - TAKEOVER POSSIBLE!SOA Record (Start of Authority)
Contains zone administrative information.
example.com. IN SOA ns1.example.com. admin.example.com. (
2023010101 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTLPentester Use:
- Admin email (admin.example.com = admin@example.com)
- Zone serial number (change tracking)
- DNS infrastructure details
Query Commands
# Get SOA record
dig example.com SOA
# Extract admin email
dig +short example.com SOA | awk '{print $2}' | sed 's/\./@/' | sed 's/@$//'PTR Record (Pointer)
Reverse DNS - maps IP to hostname.
34.216.184.93.in-addr.arpa. IN PTR example.com.Pentester Use:
- Discover hostnames from IPs
- Validate target ownership
- Find related infrastructure
Query Commands
# Reverse lookup
dig -x 93.184.216.34
# Using host
host 93.184.216.34
# Bulk reverse lookups
for ip in $(cat ips.txt); do host $ip 2>/dev/null | grep "pointer"; doneSRV Record (Service)
Specifies service locations.
_ldap._tcp.example.com. IN SRV 0 100 389 dc1.example.com.
_kerberos._tcp.example.com. IN SRV 0 100 88 dc1.example.com.Pentester Use:
- Discover Active Directory domain controllers
- Find internal services
- Service enumeration
Query Commands
# Find AD Domain Controllers
dig _ldap._tcp.dc._msdcs.domain.local SRV
# Find Kerberos servers
dig _kerberos._tcp.domain.local SRV
# Find SIP services
dig _sip._tcp.example.com SRVDNS Query Process
TL;DR: When you type a URL, your computer asks a series of DNS servers until it finds the IP address.
Step-by-Step Resolution
┌────────┐
│ You │ 1. "What's the IP for www.example.com?"
│ (Client)│─────────────────────────────────────────────┐
└────────┘ │
▼
┌───────────────┐
│ Recursive │
│ Resolver │
│ (8.8.8.8) │
└───────┬───────┘
2. Check cache - not found │
│
3. "Who handles .com?" ┌─────────────────────▼─────────────────┐
┌──────────────────────│ Root Server (.) │
│ └───────────────────────────────────────┘
│
│ 4. "Ask .com TLD servers"
▼
┌──────────────────┐
│ .com TLD │
│ Server │
└────────┬─────────┘
│
│ 5. "example.com uses ns1.example.com"
▼
┌──────────────────┐
│ ns1.example.com │
│ (Authoritative) │
└────────┬─────────┘
│
│ 6. "www.example.com = 93.184.216.34"
▼
┌───────────────┐
│ Recursive │ 7. Cache result, return to client
│ Resolver │──────────────────────────────────────────┐
└───────────────┘ │
▼
┌────────┐
8. Got IP │ You │
│(Client)│
└────────┘DNS Caching Layers
| Layer | Location | TTL Control |
|---|---|---|
| Browser Cache | Chrome, Firefox | Minutes |
| OS Cache | systemd-resolved, dnsmasq | Hours |
| Recursive Resolver | ISP, Google, Cloudflare | Configured by authoritative |
| CDN/Proxy | Cloudflare, Akamai | Configured |
Pentester Note: Cached responses can hide recent changes. Use +nocache or query authoritative directly.
Bypass Cache Commands
# Query authoritative directly
dig @ns1.example.com www.example.com
# Request no caching
dig +nocache example.com
# Trace the full resolution
dig +trace example.com
# Flush local DNS cache
# Linux (systemd)
sudo systemd-resolve --flush-caches
# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
# Windows
ipconfig /flushdnsDNS Enumeration Techniques
TL;DR: DNS enumeration reveals subdomains, infrastructure, and potential attack vectors. Use multiple techniques for comprehensive coverage.
1. Basic Record Enumeration
Query all common record types for a domain.
| Attack | Detect | Defend |
|---|---|---|
| Query all record types | Monitor DNS query volumes | Rate limit DNS queries |
| Enumerate subdomains | Alert on enumeration patterns | Use DNS firewall |
| Discover hidden services | Log unusual record requests | Minimize public DNS info |
Commands
# Query all record types
dig example.com ANY
# Comprehensive enumeration
for type in A AAAA MX NS TXT SOA CNAME SRV; do
echo "=== $type Records ==="
dig +short example.com $type
done
# Using dnsrecon
dnsrecon -d example.com -t std2. Subdomain Brute Forcing
Guess subdomains using wordlists.
| Attack | Detect | Defend |
|---|---|---|
| Brute force subdomains | Monitor query rate per source | Wildcard DNS responses |
| Use large wordlists | Alert on NXDOMAIN floods | Rate limiting |
| Combine with permutations | Detect common tool signatures | DNS query logging |
Testing Checklist
- Run basic subdomain enumeration
- Try multiple wordlists (small, medium, large)
- Check for wildcard DNS (*.example.com)
- Use permutation techniques (dev, staging, prod)
- Combine passive and active enumeration
Commands
# Using gobuster
gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Using ffuf
ffuf -u http://FUZZ.example.com -w subdomains.txt -v
# Using fierce
fierce --domain example.com
# Using dnsenum
dnsenum example.com
# Using dnsrecon brute
dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt
# Check for wildcard
dig nonexistent12345.example.com
# If returns IP, wildcard is configured3. Passive Subdomain Discovery
Find subdomains without touching target DNS.
| Source | What It Reveals | Tool |
|---|---|---|
| Certificate Transparency | SSL cert subdomains | crt.sh, certspotter |
| Search Engines | Indexed subdomains | Google dorks |
| DNS Datasets | Historical DNS data | SecurityTrails, DNSDumpster |
| Web Archives | Old subdomains | Wayback Machine |
| Threat Intelligence | Known infrastructure | VirusTotal, AlienVault |
Commands
# Certificate Transparency via crt.sh
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u
# Using subfinder (passive)
subfinder -d example.com -silent
# Using amass (passive)
amass enum -passive -d example.com
# Using theHarvester
theHarvester -d example.com -b all
# Google dorking
# site:*.example.com -www
# DNSDumpster API
curl -s "https://api.hackertarget.com/hostsearch/?q=example.com"
# SecurityTrails (requires API key)
curl "https://api.securitytrails.com/v1/domain/example.com/subdomains" \
-H "APIKEY: your-api-key"4. Reverse DNS Sweeping
Find hostnames from IP ranges.
Commands
# Single reverse lookup
dig -x 192.168.1.1
# Sweep a /24 network
for i in {1..254}; do
host 192.168.1.$i 2>/dev/null | grep "pointer"
done
# Using dnsrecon
dnsrecon -r 192.168.1.0/24
# Using nmap
nmap -sL 192.168.1.0/24 | grep "("Zone Transfers
TL;DR: Zone transfers (AXFR) are meant for DNS replication between servers. Misconfigured servers may allow anyone to download the entire zone - a goldmine of information.
What is a Zone Transfer?
┌─────────────────┐ AXFR Request ┌─────────────────┐
│ Primary DNS │ ◄─────────────────────────────│ Secondary DNS │
│ (Master) │ │ (Slave) │
│ │ ────────────────────────────►│ │
│ example.com │ Full Zone Data │ example.com │
│ zone file │ (all records) │ zone copy │
└─────────────────┘ └─────────────────┘
▲
│ AXFR Request (Attacker)
│
┌────┴────┐
│ Attacker│ If allowed: ALL DNS records exposed!
└─────────┘Why It’s Dangerous
A successful zone transfer reveals:
- All subdomains (including internal ones)
- All IP addresses
- Mail servers
- Internal naming conventions
- Network topology hints
| Attack | Detect | Defend |
|---|---|---|
| Attempt AXFR on all NS | Log AXFR requests | Restrict AXFR to known IPs |
| Try TCP and UDP | Alert on unauthorized AXFR | Use TSIG authentication |
| Query each NS separately | Monitor DNS TCP traffic | Firewall port 53/TCP |
Testing Checklist
- Identify all name servers for domain
- Attempt zone transfer on each NS
- Try both TCP and UDP
- Document all discovered records
- Check for internal/staging subdomains
Commands
# First, find name servers
dig +short example.com NS
# Attempt zone transfer with dig
dig @ns1.example.com example.com AXFR
# Using host
host -t axfr example.com ns1.example.com
# Using nslookup
nslookup
> server ns1.example.com
> set type=AXFR
> example.com
# Using dnsrecon
dnsrecon -d example.com -t axfr
# Try all name servers
for ns in $(dig +short example.com NS); do
echo "Trying $ns..."
dig @$ns example.com AXFR
doneVulnerable Response:
example.com. 3600 IN SOA ns1.example.com. admin.example.com. ...
example.com. 3600 IN NS ns1.example.com.
example.com. 3600 IN NS ns2.example.com.
example.com. 3600 IN MX 10 mail.example.com.
example.com. 3600 IN A 93.184.216.34
www.example.com. 3600 IN A 93.184.216.34
mail.example.com. 3600 IN A 93.184.216.35
internal.example.com. 3600 IN A 10.0.0.5 ; INTERNAL!
staging.example.com. 3600 IN A 10.0.0.10 ; STAGING!
admin.example.com. 3600 IN A 93.184.216.40 ; ADMIN PANEL!Secure Response:
; Transfer failed.DNS Attacks
1. DNS Cache Poisoning
Inject false DNS records into resolver cache.
┌─────────┐ ┌───────────┐
│ Victim │ ──── DNS Query ───►│ Resolver │
└─────────┘ └─────┬─────┘
│
┌───────────────────────────────┼───────────────────────────────┐
│ │ │
│ Legitimate │ Attacker │
│ ▼ │ ▼ │
┌────────────┐ │ ┌───────────┐ │
│ Real DNS │ ── Slow Response ────►│◄────── │ Fast Fake │ │
│ Server │ │ │ Response │ │
└────────────┘ │ └───────────┘ │
│ │ │ │
│ │ │ │
└───────────────────────────────┼───────────────┼───────────────┘
│ │
Resolver accepts │
first response ────────┘
│
▼
┌─────────────┐
│ Cache now │
│ poisoned │
└─────────────┘| Attack | Detect | Defend |
|---|---|---|
| Kaminsky attack | Monitor DNS response patterns | Source port randomization |
| Birthday attack | Detect duplicate transaction IDs | DNSSEC validation |
| Race condition | Alert on unexpected DNS changes | Query ID randomization |
Detection Commands
# Check if resolver validates DNSSEC
dig +dnssec example.com
# Check source port randomization
dig porttest.dns-oarc.net TXT
# Expected secure output:
# "Your resolver at X.X.X.X is GOOD: 26 ports seen"
# Vulnerable output:
# "Your resolver at X.X.X.X is POOR: 1 ports seen"2. DNS Spoofing (MITM)
Intercept and modify DNS responses on the network.
| Attack | Detect | Defend |
|---|---|---|
| ARP spoofing + DNS modification | Detect ARP anomalies | Use DNS over HTTPS/TLS |
| Rogue DHCP server | Monitor DHCP leases | Static DNS configuration |
| Evil twin AP | Detect duplicate SSIDs | VPN usage |
Attack Commands (Lab Only)
# Using ettercap (MITM + DNS spoof)
# Create dns.txt:
# *.target.com A 192.168.1.100
ettercap -T -q -i eth0 -M arp:remote /192.168.1.1// /192.168.1.50// -P dns_spoof
# Using bettercap
bettercap -iface eth0
> set dns.spoof.domains target.com
> set dns.spoof.address 192.168.1.100
> dns.spoof on
> arp.spoof on3. DNS Tunneling
Exfiltrate data or establish C2 through DNS queries.
┌─────────────┐ DNS Query: data.encoded.attacker.com ┌─────────────┐
│ Victim │ ──────────────────────────────────────────► │ Attacker │
│ Network │ │ DNS Server │
│ │ ◄────────────────────────────────────────── │ │
└─────────────┘ DNS Response: TXT "encoded response" └─────────────┘
│ │
│ │
DNS traffic Decode data
allowed through from queries
firewall| Attack | Detect | Defend |
|---|---|---|
| Encode data in subdomains | Monitor DNS query length | DNS query length limits |
| Use TXT records for C2 | Detect unusual TXT queries | DNS traffic analysis |
| Bypass firewall restrictions | Alert on high DNS volume | Block known tunnel domains |
Detection Commands
# Look for unusually long DNS queries
tcpdump -i eth0 port 53 -vv | grep -E "A\?.{50,}"
# Check for high DNS query volume
tcpdump -i eth0 port 53 -c 1000 | wc -l
# Using zeek/bro for DNS analysis
zeek -r capture.pcap local
# Tools that use DNS tunneling:
# - iodine
# - dnscat2
# - dns2tcp4. DNS Rebinding
Bypass same-origin policy using DNS.
1. Victim visits attacker.com
└──► DNS returns: attacker.com = 1.2.3.4 (attacker IP)
└──► Page loads malicious JavaScript
2. JavaScript waits for DNS TTL to expire
3. JavaScript makes request to attacker.com
└──► DNS now returns: attacker.com = 192.168.1.1 (internal IP!)
└──► Browser thinks it's same origin
└──► Access internal resource!| Attack | Detect | Defend |
|---|---|---|
| Low TTL DNS records | Monitor for rapid DNS changes | DNS pinning |
| Target internal services | Detect rebinding patterns | Block private IPs in DNS |
| Bypass browser SOP | Alert on TTL < 60 seconds | Internal network segmentation |
5. Subdomain Takeover
Claim abandoned subdomains pointing to external services.
┌───────────────┐ CNAME ┌──────────────────────┐
│ blog.target. │ ─────────────────►│ target.ghost.io │
│ com │ │ (DOESN'T EXIST!) │
└───────────────┘ └──────────────────────┘
│
│ Attacker registers target.ghost.io
▼
┌───────────────┐ CNAME ┌──────────────────────┐
│ blog.target. │ ─────────────────►│ target.ghost.io │
│ com │ │ (ATTACKER CONTROLLED)│
└───────────────┘ └──────────────────────┘Vulnerable Services:
- AWS S3 (NXDOMAIN on bucket)
- GitHub Pages
- Heroku
- Azure
- Ghost.io
- Shopify
- Many more…
| Attack | Detect | Defend |
|---|---|---|
| Find dangling CNAMEs | Monitor DNS records regularly | Remove unused DNS records |
| Claim abandoned resources | Alert on NXDOMAIN responses | Verify external service ownership |
| Serve malicious content | Inventory all subdomains | Use monitoring services |
Testing Checklist
- Enumerate all subdomains
- Check CNAME records for each
- Identify external service CNAMEs
- Verify service ownership/existence
- Attempt to claim abandoned services
Commands
# Find CNAMEs
dig +short subdomain.target.com CNAME
# Check if service exists
curl -I https://subdomain.target.com
# 404 from service provider = potential takeover
# Using subjack
subjack -w subdomains.txt -t 100 -timeout 30 -ssl -v
# Using nuclei
nuclei -l subdomains.txt -t takeovers/
# Manual check for S3
dig +short s3.target.com CNAME
# Returns: bucket-name.s3.amazonaws.com
aws s3 ls s3://bucket-name
# "NoSuchBucket" = TAKEOVER POSSIBLEDNS Security (DNSSEC)
TL;DR: DNSSEC adds cryptographic signatures to DNS responses, preventing tampering. Check if targets use it and look for misconfigurations.
How DNSSEC Works
┌─────────────────────────────────────────────────────────┐
│ DNSSEC Chain of Trust │
├─────────────────────────────────────────────────────────┤
│ │
│ Root Zone (.) ──► Signs .com DS record │
│ │ │
│ ▼ │
│ .com TLD ──► Signs example.com DS record │
│ │ │
│ ▼ │
│ example.com ──► Signs A, MX, TXT records │
│ │
│ Each level vouches for the level below │
│ │
└─────────────────────────────────────────────────────────┘DNSSEC Record Types
| Record | Purpose |
|---|---|
| RRSIG | Signature for a record set |
| DNSKEY | Public key for zone signing |
| DS | Delegation signer (hash of child DNSKEY) |
| NSEC/NSEC3 | Proves non-existence of records |
DNSSEC Vulnerabilities
| Vulnerability | Description | Impact |
|---|---|---|
| NSEC Walking | Enumerate all zone records | Information disclosure |
| Key Rollover Issues | Expired/invalid signatures | Denial of service |
| Missing DS | Chain of trust broken | Bypass DNSSEC validation |
Commands
# Check if domain uses DNSSEC
dig +dnssec example.com
# Verify DNSSEC chain
dig +sigchase +trusted-key=./root.key example.com
# Check for DNSKEY
dig example.com DNSKEY
# Check DS record at parent
dig example.com DS
# NSEC walking (zone enumeration)
# If using NSEC (not NSEC3):
ldns-walk @ns1.example.com example.com
# Or using dnsrecon
dnsrecon -d example.com -t nsecDNS Over HTTPS/TLS
TL;DR: DoH/DoT encrypt DNS queries, hiding them from network monitoring. Know how to detect and analyze these protocols.
Comparison
| Protocol | Port | Encryption | Detection |
|---|---|---|---|
| Standard DNS | 53 | None | Easy (visible queries) |
| DNS over TLS (DoT) | 853 | TLS | Medium (port 853 traffic) |
| DNS over HTTPS (DoH) | 443 | HTTPS | Hard (mixed with web traffic) |
Security Implications
For Pentesters:
- Client DNS queries hidden from network inspection
- Can bypass DNS-based security controls
- Exfiltration via DoH is harder to detect
For Defenders:
- Can’t inspect DNS for threat detection
- DNS-based blocklists may be bypassed
- Need TLS inspection or endpoint controls
Commands
# Query using DoH (cloudflare)
curl -H "accept: application/dns-json" \
"https://cloudflare-dns.com/dns-query?name=example.com&type=A"
# Using kdig for DoT
kdig -d @1.1.1.1 +tls example.com
# Using dog (modern DNS client)
dog example.com --tls @1.1.1.1
# Detect DoH traffic
# Look for connections to known DoH providers:
# - cloudflare-dns.com
# - dns.google
# - doh.opendns.comTools for DNS Testing
Command Line Tools
| Tool | Best For | Install |
|---|---|---|
| dig | Detailed queries | apt install dnsutils |
| nslookup | Quick lookups | Built-in |
| host | Simple queries | apt install bind9-host |
| dnsrecon | Comprehensive enum | apt install dnsrecon |
| dnsenum | Brute forcing | apt install dnsenum |
| fierce | Zone transfers + brute | pip install fierce |
| subfinder | Passive subdomain enum | go install subfinder |
| amass | Full-featured OSINT | apt install amass |
| massdns | High-speed resolution | apt install massdns |
Online Tools
| Tool | URL | Use |
|---|---|---|
| crt.sh | https://crt.sh | Certificate transparency |
| DNSDumpster | https://dnsdumpster.com | Visual DNS mapping |
| SecurityTrails | https://securitytrails.com | Historical DNS data |
| VirusTotal | https://virustotal.com | DNS + threat intel |
| ViewDNS | https://viewdns.info | Multiple DNS tools |
| MXToolbox | https://mxtoolbox.com | Email DNS checks |
Practice Labs
Beginner
| Resource | Focus | Link |
|---|---|---|
| TryHackMe - DNS in Detail | DNS basics | tryhackme.com |
| HackTheBox Academy - DNS Enumeration | Enumeration | academy.hackthebox.com |
| OverTheWire Natas | Web + DNS | overthewire.org |
Intermediate
| Resource | Focus |
|---|---|
| PentesterLab - DNS Rebinding | DNS attacks |
| VulnHub - DNS challenges | Various |
| HackTheBox machines | Real-world scenarios |
Home Lab Setup
# Set up BIND9 for practice
apt install bind9 bind9utils
# Configure zone for testing zone transfers
# Edit /etc/bind/named.conf.local
zone "testlab.local" {
type master;
file "/etc/bind/zones/testlab.local";
allow-transfer { any; }; # Vulnerable config for practice
};
# Create zone file at /etc/bind/zones/testlab.local
$TTL 604800
@ IN SOA ns1.testlab.local. admin.testlab.local. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.testlab.local.
ns1 IN A 192.168.1.10
www IN A 192.168.1.11
mail IN A 192.168.1.12
secret IN A 192.168.1.100Glossary
| Term | Definition |
|---|---|
| A Record | DNS record mapping hostname to IPv4 address |
| AXFR | Zone transfer protocol |
| Authoritative NS | DNS server that has original zone data |
| CNAME | Canonical name record (alias) |
| DNSSEC | DNS Security Extensions (cryptographic signing) |
| DoH | DNS over HTTPS |
| DoT | DNS over TLS |
| FQDN | Fully Qualified Domain Name (www.example.com.) |
| MX Record | Mail exchanger record |
| NS Record | Name server record |
| NXDOMAIN | Non-existent domain response |
| PTR Record | Pointer record (reverse DNS) |
| Recursive Resolver | DNS server that queries on client’s behalf |
| SOA | Start of Authority record |
| TLD | Top Level Domain (.com, .org, .net) |
| TTL | Time To Live (cache duration) |
| Zone | Administrative unit of DNS namespace |
| Zone Transfer | Replication of DNS zone between servers |
What’s Next?
Now that you understand DNS, continue your learning path:
| Topic | Description | Link |
|---|---|---|
| TLS/SSL Handshake | How HTTPS works and common attacks | Coming Soon |
| Network Fundamentals | Complete networking foundation | Network Fundamentals Guide |
| Web Basics | HTML, HTTP, cookies, headers | Web Basics Guide |
| Web App Pentesting | Putting it all together for web attacks | Web App Pentesting Guide |
Summary
DNS is foundational for penetration testing:
- Enumeration - DNS reveals subdomains, infrastructure, and services
- Zone Transfers - Misconfigured servers leak entire zones
- Attacks - Cache poisoning, spoofing, tunneling, rebinding
- Subdomain Takeover - Dangling CNAMEs can be claimed
- DNSSEC - Adds security but can be misconfigured
- DoH/DoT - Encrypted DNS changes detection landscape
Always include thorough DNS enumeration in your reconnaissance phase. The information gathered here guides your entire engagement.
Found this guide helpful? Check out the other posts in the SecureKhan penetration testing series.