OpenSkillIndex← back to search

Hacktricks-skills dns-pentesting

Perform DNS security assessments and enumeration. Use this skill whenever the user needs to enumerate DNS servers, check for zone transfers, discover subdomains, validate DNSSEC configuration, or assess DNS security posture. Trigger on requests involving DNS reconnaissance, domain enumeration, DNS vulnerability scanning, or any DNS-related security testing.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-dns/SKILL.MD
source content

DNS Pentesting Skill

A comprehensive skill for performing DNS security assessments, enumeration, and vulnerability testing.

When to Use This Skill

Use this skill when:

  • Enumerating DNS servers and discovering domain information
  • Testing for zone transfer vulnerabilities
  • Discovering subdomains through brute force or enumeration
  • Checking DNSSEC configuration and validation
  • Assessing DNS server security posture
  • Performing Active Directory DNS enumeration
  • Validating DNS record types and configurations

Quick Start

For rapid DNS enumeration, use the bundled scripts:

# Full DNS enumeration suite
./scripts/dns-enumerate.sh <target-ip> <domain>

# Zone transfer attempts
./scripts/dns-zone-transfer.sh <target-ip> <domain>

# Subdomain discovery
./scripts/dns-subdomain-brute.sh <domain> <target-ip>

# DNSSEC validation checks
./scripts/dns-sec-check.sh <domain>

DNS Enumeration Workflow

1. Initial Reconnaissance

Start with basic DNS information gathering:

# Check DNS server version (banner grabbing)
dig version.bind CHAOS TXT @<DNS_IP>

# Get all available record types
dig any <domain> @<DNS_IP>

# Query specific record types
dig A <domain> @<DNS_IP>       # IPv4 addresses
dig AAAA <domain> @<DNS_IP>    # IPv6 addresses
dig MX <domain> @<DNS_IP>      # Mail servers
dig NS <domain> @<DNS_IP>      # Name servers
dig TXT <domain> @<DNS_IP>     # Text records (SPF, DKIM, etc.)
dig SOA <domain> @<DNS_IP>     # Start of Authority

2. Zone Transfer Testing

Zone transfers (AXFR) can expose all DNS records for a domain:

# Try zone transfer without specifying domain
dig axfr @<DNS_IP>

# Try zone transfer with domain
dig axfr <domain> @<DNS_IP>

# Use fierce for automated zone transfer attempts
fierce --domain <domain> --dns-servers <DNS_IP>

Security Note: Zone transfers should only be allowed between authoritative name servers. If successful, this is a misconfiguration.

3. Subdomain Discovery

Discover subdomains through various methods:

# Using dnsenum
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <wordlist> <domain>

# Using dnsrecon
dnsrecon -D <wordlist> -d <domain> -n <DNS_IP>

# Manual brute force with dig
for sub in $(cat <wordlist>); do
  dig $sub.<domain> @<DNS_IP> | grep -v 'SOA' | grep $sub
done

4. Reverse DNS Enumeration

Map IP addresses back to hostnames:

# Reverse lookup for single IP
dig -x <IP_ADDRESS> @<DNS_IP>

# Reverse brute force on IP range
dnsrecon -r <IP_RANGE>/24 -n <DNS_IP>

# Example: scan entire /24
dnsrecon -r 192.168.1.0/24 -n <DNS_IP>

5. Active Directory DNS Enumeration

Discover AD infrastructure through DNS:

# Query for AD service records
dig -t _gc._tcp.<domain>
dig -t _ldap._tcp.<domain>
dig -t _kerberos._tcp.<domain>
dig -t _kpasswd._tcp.<domain>

# Using nslookup
nslookup -type=srv _kerberos._tcp.<domain>

# Using nmap
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='<domain>'" <IP>

6. DNSSEC Validation

Check DNSSEC configuration and validation:

# Check for DNSSEC records
dig <domain> DNSKEY +dnssec
dig <domain> DS +short
dig <domain> CDS +short
dig <domain> CDNSKEY +short

# Test DNSSEC validation
dig @8.8.8.8 <domain> A +dnssec

# Check NSEC enumeration (if enabled)
nmap -sSU -p53 --script dns-nsec-enum --script-args "dns-nsec-enum.domains=<domain>" <DNS_IP>

7. DNS Server Security Checks

Assess DNS server security posture:

# Check if recursion is enabled (potential DDoS amplification)
dig google.com A @<DNS_IP>
# Look for "ra" (recursion available) flag in response

# Nmap DNS vulnerability scan
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

# Check EDNS and TCP fallback
dig <domain> DNSKEY +dnssec +bufsize=1232
dig <domain> DNSKEY +dnssec +tcp

8. Advanced DNS Checks

NS Delegation Integrity

# Get NS records
dig <domain> NS +short

# Verify each NS answers authoritatively
for ns in $(dig +short <domain> NS); do
  dig @${ns%?} <domain> SOA +short
done

Modern DNS Records (HTTPS/SVCB)

dig <domain> HTTPS +short
dig <domain> SVCB +short
dig www.<domain> HTTPS +short
dig www.<domain> SVCB +short

TTL Analysis

# Check TTL values on critical records
dig <domain> A +ttlid
dig <domain> AAAA +ttlid
dig <domain> MX +ttlid
dig <domain> NS +ttlid

CAA Records (Certificate Authority Authorization)

dig <domain> CAA +short

# Check certificate transparency logs
curl -s "https://crt.sh/?q=%25.<domain>&output=json" | head

Post-Exploitation DNS Checks

If you have access to a compromised system, check DNS configuration files:

# DNS configuration files to examine
/etc/resolv.conf
/etc/host.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log

Key BIND parameters to check:

  • allow-transfer
    - Who can perform zone transfers
  • allow-recursion
    - Who can send recursive requests
  • allow-query
    - Who can query the server

Tools Reference

ToolPurpose
dig
DNS query tool (most versatile)
nslookup
Legacy DNS query tool
dnsrecon
DNS enumeration and brute force
dnsenum
DNS enumeration suite
fierce
DNS reconnaissance and zone transfer
nmap
DNS vulnerability scanning
fpdns
DNS server fingerprinting

Nmap DNS Scripts

# Comprehensive DNS scan
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

# DNS service enumeration
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='<domain>'" <IP>

# DNS NSEC enumeration
nmap -sSU -p53 --script dns-nsec-enum --script-args "dns-nsec-enum.domains=<domain>" <DNS_IP>

Metasploit DNS Modules

# DNS enumeration
use auxiliary/gather/enum_dns

# DNS amplification
use auxiliary/scanner/dns/dns_amp

Common DNS Record Types

TypeDescription
AIPv4 address
AAAAIPv6 address
MXMail exchange
NSName server
SOAStart of Authority
TXTText records (SPF, DKIM, etc.)
CNAMECanonical name (alias)
PTRPointer (reverse DNS)
SRVService location
DNSKEYDNSSEC key
DSDelegation signer
CAACertificate Authority Authorization
HTTPSHTTPS service binding
SVCBService binding

Best Practices

  1. Always test zone transfers - This is a common misconfiguration
  2. Check for recursion - Can be abused for DDoS amplification
  3. Enumerate subdomains - Often reveals internal infrastructure
  4. Validate DNSSEC - Check for proper configuration
  5. Review NS delegation - Look for lame delegations
  6. Check TTL values - Low TTLs can accelerate malicious changes
  7. Examine CAA records - Overly permissive CAA increases cert abuse risk

Output Interpretation

Recursion Available (ra flag)

  • Present: Server allows recursive queries (potential DDoS risk)
  • Absent: Server only answers authoritative queries (more secure)

Zone Transfer Success

  • Success: Misconfiguration - all DNS records exposed
  • Refused: Properly configured

Low TTL Values

  • < 300 seconds: Very low - changes propagate quickly
  • 300-3600 seconds: Normal range
  • > 3600 seconds: High - slower propagation

References

Script Usage

See the bundled scripts in 

scripts/
for automated workflows:

  • dns-enumerate.sh
    - Complete DNS enumeration suite
  • dns-zone-transfer.sh
    - Zone transfer testing
  • dns-subdomain-brute.sh
    - Subdomain discovery
  • dns-sec-check.sh
    - DNSSEC validation checks