Intro
There are a few reasons why DNS enumeration is important.
- Attack surface. It can reveal the size of the enterprise of the target organization which can translate to the potential size of the attack surface. Enumerating the number of domains and sub-domains can reveal how large or small the organization may be.
- Virtual Routing may be enabled. Virtual Routing allows a web server to serve different resources depending on the domain name. Generally, the first thing we do is attempt to navigate to a web page using the IP address of the host (e.g. http://10.10.10.112) to see what the host serves us. Let’s say that the domain name “idontexist.htb” resolves to that IP address. Some would expect that http://idontexist.htb would serve the same page as it served by requesting http://10.10.10.112. If virtual routing is enabled, this is not always the case. In fact, if virtual routing is enabled, depending on how it’s configured, http://idontexist.htb may serve a completely different page than if you were to request http://10.10.10.112.
Preliminary Steps - DNS configuration on Linux
In order to use the victim machine as additional DNS resolver on Kali Linux follow this steps:
- Add the following entry
nameserver <IP> to /etc/resolv.conf file as shown here:
# Generated by NetworkManager
search localdomain
nameserver <IP>
nameserver ...
nameserver ...
- Restart network service:
systemctl restart networking
How to
nslookup -query=mx '<Domain>' -server='<DNS-IP>'
nslookup -query=ns '<Domain>' -server='<DNS-IP>'
nslookup -query=any '<Domain>' -server='<DNS-IP>'
dig @<DNS SERVER> '<Domain>'
dig @<DNS SERVER> '<Domain>' A
dig @<DNS SERVER> '<Domain>' AAAA
dig @<DNS SERVER> '<Domain>' PTR
dig @<DNS SERVER> '<Domain>' NS
dig @<DNS SERVER> '<Domain>' MX