DNS enumeration using dnstracer

DNSTRACER:-

Dnstracer is a Domain Name Server Information gathering tool, which extract unique DNS information about a domain. It extracts different types of DNS records like NS, MX, A, AAAA, SOA, NSEC etc.

As per the ethical hacker of international institute of cyber security DNS tracer helps in finding the various DNS queries that can be used in bruteforce attacks and other hacking activities.

For using DNS TRACER type dnstracer in linux terminal as shown below.

DEFAULT SCAN:-

Type:

dnstracer -v -o msn.com.

By default it will send DNS query for the A records.

  • -v verbose mode, to show requests and answers going back and forth.
  • -a shows the summary of domain scan.
  • -o enable overview of received answers
  • The above query shows the DNS headers and header fields.

Following type of queries with destination address is used in information gathering of the target IP address.

USING SOA QUERY:-

Type:

dnstracer -q soa -o -4 zonetransfer.me

-q means DNS record type (here DNS record type is SOA)

-o print the summary on the console

-4 means ignore IPv6

 

  • The above screen shot shows the SOA (State of Authority) records. The SOA records saves the information about the name server that supplied data for zone.

USE NS (NAME SERVER) QUERY

Type:

dnstracer -q ns -o -4 zonetransfer.me

-q means DNS record type (here DNS record type is NS)

-o print the summary on the console

-4 means ignore IPv6

  • In the above screen shot shows the NS (Name Servers) of target domain. This means that zonetransfer.me has 4 name server records. At rooting level it is important that there should be some trustworthy name server configured to respond to queries against a domain name. DNS request to the NS are send randomly, if one host is not responding another host will be use.

 

USE MX(MAIL EXCHANGE) QUERY 

Type dnstracer -q mx -o -4 zonetransfer.me as shown below

-q means DNS record type (here DNS record type is MX)

-o print the summary on the console

-4 means ignore IPv6

 

  • In the above screen shot that zonetransfer.me has marked in RED mail exchange records. MX tells the mail delivery destination for the target domain. Numbers shown next to target domains .i.e 0, 10, 20 are called MX preference.
  • If the ASPMX.L.GOOGLEMAIL.COM is not available it will go to next MX record. However, if the MX records has same MX preference both will be use simultaneously.

 

CHANGING INITIAL DNS SERVER:-

USE Type:

dnstracer -o -s . -4 hackthissite.org

-o print the summary on the console

-4 means ignore IPv6

-s specify DNS server used for query (here it is “.”, it means using system defined or default system DNS server of system)

  • In the above screen shot the query shows the name server and the public IP address of the hackthissite.org, but the main purpose of the query is to change the initial DNS server. For changing the initial DNS server, attacker can configure any DNS server according to the requirement.