Information Gathering Through DNS

2015-01-30 17:09

The Domain Name System (DNS) can reveal a lot of information about your network. In this post I'm going to use a tool called DNSRecon to explore this.

Domain Enumeration

A basic domain enumeration can look like this:

$ ./dnsrecon -d iis.se
[*] Performing General Enumeration of Domain: iis.se
[*] DNSSEC is configured for iis.se
[*] DNSKEYs:
[*]     None ZSK RSASHA1 050100000001cefa15643bcb6f41b08a 00d1b2a3fd2acca32158416d5af1f3ba 522f4dee16b9248f4aafaf9f6a20a476 5892d4bfa7fed48ac846166bedabf20d 143d4daf5e827792a4dac723d128dc8f 7f9c4992f15bd895337e535290e00a90 d99e27b6f395ac2f199ea0336c68b40f 23265297ba1eb8f9ce59878affe3e959 5571f2b2a327
[*]     None KSk RSASHA1 03010001cab9bbea9ee5589b9f2bd29c 6536d296a7c1e024d90c5f94656e5508 7340005057848874042cf8b3551c5eb5 95cc5ee74e2384f9a3790eb9e97eadf9 d1e9473d4374f3bfba47082138c84682 47a92f975f22fa81496e6680d4f8aeaf a71906271e66e67e1ba114ca09350047 ff6bc36f88411453b5bea7070b02de99 9ff4894942340c6f57104dbd143bb7d8 8170d921856e9762f01a9291acc27a52 5d677a9912c533304381fd88a13d161a 8f788a7353d7675c6b49f990b1f6d592 67d56c48b58126d530a04e997c8a05d6 2a2aab17c697d255d7fe86903c68de93 0dd9e761929f1aaa8a3f47e9ab2588b4 bc4f236d7be1675db5e750f2c2e4b16c 68c09719
[*]      SOA ns.nic.se 212.247.7.228
[*]      SOA ns.nic.se 2a00:801:f0:53::53
[*]      NS ns3.nic.se 212.247.8.152
[*]      Bind Version for 212.247.8.152 not disclosed
[*]      NS ns3.nic.se 2a00:801:f0:211::152
[*]      NS i.ns.se 194.146.106.22
[*]      Bind Version for 194.146.106.22 contact info@netnod.se
[*]      NS i.ns.se 2001:67c:1010:5::53
[*]      NS ns.nic.se 212.247.7.228
[*]      Bind Version for 212.247.7.228 Not disclosed
[*]      NS ns.nic.se 2a00:801:f0:53::53
[*]      MX mx1.iis.se 91.226.36.39
[*]      MX mx2.iis.se 212.247.8.148
[*]      MX mx1.iis.se 2a00:801:f0:106::39
[*]      MX mx2.iis.se 2a00:801:f0:211::148
[*]      A iis.se 91.226.36.46
[*]      AAAA iis.se 2a00:801:f0:106::80
[*]      TXT iis.se v=spf1 ip4:212.247.204.0/24 ip4:212.247.7.128/25 ip4:212.247.8.128/25 ip4:212.247.3.0/25 ip4:212.247.14.32/28 ip4:212.247.165.16/28 ip4:212.247.206.0/24 ip4:91.226.36.0/23 ip6:2a00:801:f0:211::147 ip6:2a00:801:f0:106::38 ip6:2a00:801:f0:106::43 mx ~all
[*] Enumerating SRV Records
[*]      SRV _kerberos._udp.iis.se kdc01.prod.iis.se no_ip 88 20
[*]      SRV _kerberos._udp.iis.se kdc02.prod.iis.se no_ip 88 40
[*]      SRV _kerberos._udp.iis.se kdc03.prod.iis.se no_ip 88 40
[*]      SRV _kerberos._tcp.iis.se kdc02.prod.iis.se no_ip 88 40
[*]      SRV _kerberos._tcp.iis.se kdc03.prod.iis.se no_ip 88 40
[*]      SRV _kerberos._tcp.iis.se kdc01.prod.iis.se no_ip 88 20
[*]      SRV _jabber._tcp.iis.se xmpp.iis.se 212.247.8.149 5269 0
[*]      SRV _xmpp-client._tcp.iis.se xmpp.iis.se 212.247.8.149 5222 0
[*]      SRV _xmpp-server._tcp.iis.se xmpp.iis.se 212.247.8.149 5269 0
[*]      SRV _kpasswd._udp.iis.se kdc01.prod.iis.se no_ip 464 0
[*] 10 Records Found

Here I'm using the Swedish Internet Infrastructure Foundation (IIS) as example domain. (They are doing an excellent job of developing the Swedish internet and have been promoting DNSSEC).

From the result we can tell that DNSSEC is configured, the nameservers (SOA, NS), mail servers (MX) and that IPv6 is enabled (AAAA). Their BIND version is not disclosed so we can not tell what DNS server software they are running. We can tell what hosts are allowed to send mail from this domain by looking at the SPF information in the TXT record.

The TXT records can reveal a lot of other information as well so they may deserve a close look. MX records can tell us if a domain is using a third party for mail handling.

Looking at the service locator (SRV) records tells us that they're using Kerberos and XMPP/Jabber and what hosts and ports are involved. SRC records can reveal much information about available services.

Reverse Lookup on IP Range

DNSRecon has the ability to do reverse lookup for pointer (PTR) records. This ability can disclose much information about public hosts on a network.

Using Dictionaries

DNSRecon has the ability to use dictionaries to perform a kind of brute force poke by trying to resolve A, AAAA and CNAME records for each dictionary entry on the given domain:

$ ./dnsrecon.py -d example.com -t brt -D <dictionary>

Performing such a lookup can give valuable information about exposed hosts.

Using dictionaries we can also perform DNS cache snooping:

$ ./dnsrecon.py -n ns1.example.com -t snoop -D <dictionary>

Google Search Enumeration

Another interesting feature of DNSRecon is the ability to do a Google search enumeration. This is done by scraping Google search results for unique sub domains and perform a lookup on these host names.

$ ./dnsrecon.py -d mydomain.com -g

Conclusion

The domain name system is one of the first sources of information for an attacker. Knowing what information is exposed and make sure nothing unwanted is disclosed can help a sysadmin to secure the network and its servers.