01. DNS Zone Transfers

1. DNS Server or Name Server

A DNS server, also called a name server, is responsible for translating human-readable domain names (e.g., example.com) into IP addresses (e.g., 192.0.2.1) that computers use to communicate.

Types of DNS Servers:

1. Recursive Resolver: Finds the IP address for the client by querying other DNS servers.
2. Authoritative Server: Stores and serves DNS records for a specific domain.
3. Root Server: Directs queries to the correct Top-Level Domain (TLD) servers.
4. TLD Server: Manages specific domain extensions (e.g., .com, .org).

---

2. DNS Records

DNS records are entries in the DNS database that provide information about domains. Below are all major DNS record types:

Record Type	Description	Example
A	Maps a domain to an IPv4 address	example.com. IN A 192.0.2.1
AAAA	Maps a domain to an IPv6 address	example.com. IN AAAA 2001:0db8::1
CNAME	Provides an alias for another domain	www.example.com. IN CNAME example.com.
MX	Specifies mail servers for a domain	example.com. IN MX 10 mail1.example.com.
NS	Specifies authoritative name servers	example.com. IN NS ns1.example.com.
SOA	Provides administrative information	example.com. IN SOA ns1.example.com. admin.example.com.
TXT	Stores text-based information (e.g., SPF)	example.com. IN TXT "v=spf1 include:_spf.google.com ~all"
PTR	Reverse DNS lookup (IP to domain)	1.2.0.192.in-addr.arpa. IN PTR example.com.
SRV	Defines the location of specific services	_sip._tcp.example.com. IN SRV 10 5 5060 sipserver.example.com.
CAA	Specifies allowed certificate authorities	example.com. IN CAA 0 issue "letsencrypt.org"

---

3. DNS Interrogation

DNS interrogation is the process of querying DNS servers to collect information about a domain or IP address. This is commonly used in cybersecurity reconnaissance.

Examples of DNS Interrogation Techniques:

1. Forward DNS Lookup: Resolves a domain to its IP address.

   nslookup example.com
   

2. Reverse DNS Lookup: Resolves an IP address to its domain.

   nslookup 192.0.2.1
   

3. Querying Specific Records: Retrieve specific DNS record types.

   dig example.com MX
   nslookup -type=TXT example.com
   

4. Brute-Forcing Subdomains: Uses wordlists to find subdomains.

---

4. DNS Zone Transfer

A DNS Zone Transfer is a mechanism to replicate DNS data from one server to another. It is intended for synchronizing DNS data between primary and secondary servers.

If improperly configured, it can allow attackers to retrieve all DNS records of a domain.

Command for Zone Transfer:

dig axfr @nameserver domainname

Example:

dig axfr @nsztm1.digi.ninja zonetransfer.me

---

5. Tools and Commands for DNS Reconnaissance

---

A. DNSenum
A tool for enumerating DNS records, subdomains, and testing for zone transfers.

Command:

dnsenum zonetransfer.me

Explanation:

• Enumerates information about zonetransfer.me.
• Attempts to retrieve DNS records (A, MX, NS, etc.).
• Checks for possible zone transfers.

---

B. Dig
A versatile command-line tool for querying DNS records.

Commands:

1. Query a specific record:

   dig example.com MX
   

   Explanation: Retrieves MX records for example.com.

2. Perform a zone transfer:

   dig axfr @nameserver domainname
   

   Example:

   dig axfr @nsztm1.digi.ninja zonetransfer.me
   

   Explanation:

   • axfr: Specifies a zone transfer query.
   • @nameserver: Indicates the authoritative name server to query.
   • zonetransfer.me: The target domain.

---

C. Fierce
A DNS reconnaissance tool that can identify subdomains and test zone transfers.

Commands:

1. Basic zone transfer:

   fierce --domain zonetransfer.me
   

   Explanation: Tests if zonetransfer.me allows a zone transfer.

2. Brute-forcing subdomains using a wordlist:

   fierce --domain zonetransfer.me --subdomain accounts admin ads
   

   Explanation:

   • --domain: Specifies the target domain.
   • --subdomain: Used to find subdomains.

---

Examples and Use Cases

1. Basic Domain Query: Retrieve DNS records for a domain:

   dig example.com ANY
   

   Output: Lists all available DNS records for example.com.

2. Testing Zone Transfer: Check if a domain's DNS configuration is vulnerable:

   dig axfr @nsztm1.digi.ninja zonetransfer.me
   

3. Brute-Forcing Subdomains: Use Fierce to find hidden subdomains:

   fierce --domain zonetransfer.me --subdomain accounts admin ads
   

---

Key Points:

1. DNS interrogation is a powerful reconnaissance technique that must be used ethically and with permission.
2. Misconfigured DNS servers can expose sensitive information through zone transfers.
3. Tools like dnsenum, dig, and fierce simplify DNS reconnaissance tasks.

These techniques are commonly used in offensive security assessments to map the attack surface of a domain. Always ensure compliance with legal and ethical standards before conducting such activities.