Introduction to pentesting: Reconnaissance

Dig

Another great tool for extracting information from DNS is “dig”. To work with dig, we simply open a terminal and enter the following command:

dig @target-ip

Naturally, you’ll need to “target_ip” with the IP address of your target. Among other things, dig makes it very simple to attempt a zone transfer. Recall a zone transfer is used to pull multiple records from a DNS server. In some cases, a zone transfer can result in the target DNS server sending all the records it contains. This is especially valuable if your target doesn’t distinguish between internal and external IPs when conducting a zone transfer. We can attempt a zone transfer with dig by using the “-t AXFR” parameter.

If we wanted to attempt a zone transfer against a fictitious DNS server with an IP address of 192.168.1.23 and a domain name of “example.com” we’d issue the following command in a terminal window:

dig @192.168.1.23 example.com -t AXFR

If zone transfers are allowed and not restricted, you’ll be presented with a listing of host and IP address from the target DNS server that relate your target domain.

BlackArch has several additional tools that can be used to interact with DNS. These tools should be explored and utilized once you’ve a solid understanding of how DNS works.