Extracting information from DNS
DNS servers are an excellent target for attackers and penetration testers. They usually contain information that is considered highly valuable to attackers. DNS is a core component of both our local networks and the Internet. Among other things, DNS is responsible for the process of translating domain names to IP addresses. As humans, it’s much easier for us to remember “google.com” rather than http://126.96.36.199. However, machines prefer the reverse. DNS servers are the middle man to perform this translation process.
As penetration testers, it’s important to focus on the DNS servers that belong to our target. The reason is simple. For DNS to function properly, it needs to be aware of both the IP address and the corresponding domain name of each computer on its network. In terms of reconnaissance, gaining full access to a company’s DNS server is like finding a pot of gold at the end of a rainbow. Or maybe, more accurately, it’s like finding a blueprint to the organization. But in this case, the blueprint contains a full blueprint to the organization. But in this case, the blueprint contains a full listing of internal IP addresses that belong to our target. Remember, one of the key elements of information gathering is to collect IP addresses that belong to the target.
Aside from the pot of gold, another reason why picking on DNS is so enjoyable is that in many cases, these servers tend to operate on the “if it ain’t broken, don’t touch it” principle.
Inexperienced network administrators often regard their DNS servers with suspicion and mistrust. Oftentimes, they choose to ignore the box completely because they don’t fully understand it. As a result, touching, patching, updating or changing configurations on the DNS server is often a low priority. Add this to the fact that most DNS servers appear to be very stable (as long as the administrator ain’t monkeying with it) and you’ve a recipe for a security disaster. These admins wrongly learn early in their career that the less they mess with their DNS servers, the less trouble it seemed to cause them.
As a penetration tester, given the number of misconfigured and unpatched DNS server that abound today, it’s natural to assume that many current network admins operate under this same principle.
If the above statements are true in even a small number of organizations, we’re left with valuable targets that have a high probability of being unpatched or out of date. So the next logical question becomes, how do we access to this virtual pot of gold? Before we can begin the process of examining a DNS server, we need an IP address. Usually the DNS are represented as hostnames, we can translate any hostname into IP address and add these IPs to the potential target list. Again, you must be sure to double (and triple) check that the IP you collect is within your authorized scope before continuing.
Now that we’ve a list of DNS IP addresses that belong to or server our target we can begin the process of interrogating DNS to extract information. Although it’s becoming rare to find, one of our first tasks when interacting with a target DNS is to attempt a zone transfer.
Remember, DNS servers contain a series of records that match up the IP address and hostname for all the devices that the servers are aware of. Many networks deploy multiple DNS servers for the sake of redundancy and load balancing. As a result, DNS servers need a way to share information. This “sharing” process occurs through the use of a zone transfer. During a zone transfer, also commonly referred to as AXFR, one DNS server will send all the host-to-IP mappings it contains to another DNS server. This process allows multiple DNS servers to stay in sync.
Even if we’re unsuccessful in perform a zone transfer, we should still spend time investigating any DNS servers that fall within our authorized scope.