DNS
Here is a rewritten, restructured, and polished version of your blog post, optimized for GitBook.
I have cleaned up the grammatical errors, removed the copy-paste artifacts (like "Plain TextCopyMore"), and organized the content into a logical flow. I also clarified the technical explanations to ensure they are accurate (especially regarding the difference between Authoritative and Recursive servers).
Domain Name System (DNS)
What is DNS?
The Domain Name System (DNS) acts as the phonebook of the internet. Humans access information online through domain names, like github.com or google.com. Web browsers, however, interact through Internet Protocol (IP) addresses. DNS translates domain names into IP addresses so browsers can load Internet resources.
By design, DNS is a globally distributed system that controls which server a user reaches via a particular domain.
Note: Standard DNS traffic is typically unencrypted (UDP/53), making it susceptible to interception or spoofing unless technologies like DNS over HTTPS (DoH) or DNS over TLS (DoT) are used.
DNS Server Hierarchy
There are several types of DNS servers involved in resolving a hostname to an IP. They work together in a hierarchy:
1. DNS Root Server
The root servers are responsible for the Top Level Domains (TLD) (like .com, .org, .net). They are the first step in the resolution process when a local resolver doesn't know where a domain is.
Function: They direct queries to the appropriate TLD server.
** Governance:** The Internet Corporation for Assigned Names and Numbers (ICANN) coordinates the root name servers.
Scale: There are 13 logical root server IP addresses worldwide, though they are backed by hundreds of physical servers via Anycast.
2. Authoritative Nameserver
These servers hold the actual DNS records for a specific domain (e.g., hackthebox.com). They are the final authority.
Function: They answer queries for their specific zone. Their information is considered binding.
Organization: If an authoritative server cannot answer a query (e.g., for a subdomain it doesn't own), it generally does not forward the request; it simply returns an error or a referral.
3. Recursive Resolver (Non-authoritative)
Resolvers are not authoritative; they are the "middlemen." They are usually provided by your ISP or a public provider (like Google's 8.8.8.8).
Function: When a client (your computer) asks for a website, the Recursive Resolver performs the "hunt"—asking the Root, then the TLD, then the Authoritative server to find the IP.
Caching: Once found, they cache the result to speed up future requests.
4. Forwarding Server
These servers perform a single function: they forward DNS queries to another DNS server (often a Recursive Resolver) rather than resolving the names themselves.
DNS Records
DNS records provide specific information about a domain. Here are the most common types:
Record
Description
A
Returns the IPv4 address of the requested domain.
AAAA
Returns the IPv6 address of the requested domain.
MX
Mail Exchange. Points to the mail servers responsible for accepting email for the domain.
NS
Nameserver. Lists the authoritative DNS servers for the domain.
CNAME
Canonical Name. Acts as an alias. For example, pointing www.hackthebox.eu to hackthebox.eu.
PTR
Pointer. Used for reverse lookups (converting an IP into a domain name).
TXT
Text. A multi-purpose record. Often used for verification (Google Search Console) or email security (SPF, DMARC) to prevent spam.
SOA
Start of Authority. Provides administrative details about the DNS zone, including the primary nameserver, the email of the admin, and serial numbers for updates.
Zone Files & Configuration
Understanding how DNS servers are configured is vital for both administration and enumeration.
What is a Zone File?
A Zone File is a text file that acts as the database for a domain. It contains all the mappings between names and IPs. Think of it as the server's address book.
Location: Usually found in
/etc/bind/db.domain.com(on Linux BIND servers).Directives: It defines the domain name, the TTL (Time To Live for caching), and lists all the Records (A, MX, NS, etc.).
Reverse Lookup Zones
While standard zones map Names → IPs, Reverse Zones map IPs → Names (using PTR records).
Purpose: Used for logging, security auditing, and network troubleshooting.
Analogy: Instead of asking "Who owns this domain?", you are asking "Who owns this IP address?"
Local Configuration
The main configuration file (e.g., /etc/bind/named.conf.local) tells the DNS server which zones it is responsible for and where the zone files are located on the disk.
Dangerous Settings
Misconfiguring a DNS server can leave a network vulnerable. The following settings in named.conf are critical for security:
Option
Description
Risk Context
allow-query
Defines which hosts can send requests to the server.
If open to any, internal network info might be leaked.
allow-recursion
Defines which hosts can send recursive requests.
If open, attackers can use your server for DNS Amplification DDoS attacks.
allow-transfer
Defines which hosts can download the entire zone file.
High Risk. If misconfigured, an attacker can perform a Zone Transfer (AXFR) and get a list of every single host in your network.
zone-statistics
Collects statistical data of zones.
Can leak usage patterns.
Footprinting the Service
As a penetration tester or security researcher, DNS is a goldmine of information. We use the dig tool to query DNS servers.
1. Basic NS Query
Find out which servers are authoritative for the target.
Bash
2. Version Query
Sometimes servers reveal their software version, which helps in finding exploits.
Bash
3. ANY Query
Requests all available records for a domain. (Note: Many modern servers block ANY queries to prevent DDoS abuse).
Bash
4. Zone Transfer (AXFR)
If allow-transfer is misconfigured, you can download the entire domain layout.
Bash
5. Subdomain Brute Forcing
If Zone Transfers are blocked, we must guess subdomains using a wordlist.
Bash
Last updated