07 Apr, 2023

Domain Name Server (DNS)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. DNS provides a way to translate human-readable domain names into machine-readable IP addresses, allowing users to access resources on the internet using names rather than IP addresses. DNS is a critical part of the internet infrastructure and is used by almost every application that uses the internet, including web browsers, email clients, and more.

DNS common ports

UDP port 53: used for DNS queries and responses

TCP port 53: used for DNS zone transfers and large queries/responses that can’t fit into a single UDP datagram

UDP/TCP port 5353: used for multicast DNS (mDNS) service discovery in small networks

TCP port 853: used for DNS over TLS (DoT), a security-enhanced DNS protocol that encrypts DNS queries and responses to prevent eavesdropping and tampering

TCP/UDP port 137: used for NetBIOS name service, an outdated legacy protocol for resolving Windows computer names

TCP/UDP port 138: used for NetBIOS datagram service, another outdated legacy protocol for Windows network communication

TCP/UDP port 139: used for NetBIOS session service, yet another legacy protocol for Windows file and printer sharing

TCP/UDP port 445: used for Server Message Block (SMB) file sharing in Windows networks, which can also be used for DNS tunneling attacks

TCP/UDP port 5355: used for LLMNR (Link-Local Multicast Name Resolution), a protocol for resolving computer names in small networks that don’t have a DNS server

TCP/UDP port 8080: used for HTTP proxy servers that can intercept and manipulate DNS traffic, as well as for DNS tunneling over HTTP

Tools for using protocol DNS

Manual Tools:

nslookup: A command-line tool used to query DNS servers and obtain information about domain names and IP addresses.

dig: Another command-line tool for querying DNS servers and retrieving DNS records.

whois: A command-line tool used to retrieve registration information for domain names.

host: A command-line tool used to perform DNS lookups and retrieve DNS information.

ping: A command-line tool used to test network connectivity between two devices.

traceroute: A command-line tool used to trace the path of network packets between two devices.

tcpdump: A command-line tool used for network packet capture and analysis.

Automated Tools:

Nmap: A popular network scanner that includes DNS enumeration capabilities.

DNSmap: A tool for subdomain discovery and enumeration.

Fierce: A DNS reconnaissance tool that can discover and map DNS information for a domain.

Dnsenum: A tool for DNS enumeration that can discover subdomains, domain names, and DNS server IP addresses.

Dnswalk: A tool for DNS zone transfer testing and analysis.

Dnsrecon: A DNS enumeration and information gathering tool that can be used for reconnaissance and vulnerability scanning.

Dns2tcp: A tool for tunneling TCP connections over DNS.

Dnschef: A DNS proxy that can be used for testing and modifying DNS queries and responses.

Dnsspider: A tool for domain name enumeration and subdomain discovery.

Massdns: A high-performance DNS resolver that can be used for reconnaissance and subdomain discovery.

SubBrute: A tool for DNS subdomain discovery and brute-forcing.

Aquatone: A tool for subdomain discovery and DNS reconnaissance that can be used to generate screenshots of discovered websites.

Eyewitness: A tool for website screenshot generation that can be used in conjunction with DNS reconnaissance tools.

Useful information

– Hierarchical and decentralized, with a root DNS server at the top of the hierarchy, followed by top-level domain (TLD) servers, authoritative name servers, and finally, recursive resolvers.

– There are several types of DNS records, including A records for IP addresses, MX records for email servers, CNAME records for aliases, and TXT records for arbitrary text.

– Can be vulnerable to a variety of attacks, including DNS spoofing, DNS cache poisoning, and DNS amplification attacks.

– DNSSEC is a security extension for DNS that provides cryptographic authentication of DNS records.

– DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are encryption protocols for DNS that provide privacy and security benefits.

– Critical component of the internet and is used by virtually all networked devices.

– DNS logs can be a valuable source of information for network forensics and security monitoring.

– DNS traffic can be monitored and analyzed using a variety of tools, including tcpdump, Wireshark, and Bro/Zeek.

Books for studies Kerberos

“DNS and BIND (5th Edition)” by Cricket Liu – This book covers the history, design principles, and operation of DNS, as well as the use of DNS in applications such as email, directory services, and security mechanisms.

“DNS Security: Defending the Domain Name System” by Allan Liska and Geoffrey Stowe – This book provides a comprehensive overview of DNS security threats and vulnerabilities, and offers practical guidance on how to secure DNS infrastructure.

“DNS on Windows Server 2003” by Cricket Liu – This book focuses on the implementation of DNS on Windows Server 2003, including installation, configuration, and troubleshooting.

“DNS and BIND Cookbook” by Cricket Liu and Paul Albitz – This book provides practical solutions to common DNS problems, including DNS configuration, maintenance, and troubleshooting.

“Pro DNS and BIND” by Ron Aitchison – This book covers advanced DNS topics, including DNSSEC, IPv6, and DNS-based load balancing.

“DNS and BIND in a Nutshell” by Cricket Liu – This book provides a concise overview of DNS and BIND, including configuration and troubleshooting tips.

“DNSSEC Mastery: Securing the Domain Name System with BIND” by Michael W. Lucas – This book provides a detailed guide to DNSSEC, including configuration and troubleshooting with BIND.

“DNS & BIND Fundamentals” by Ayitey Bulley – This book provides an introduction to DNS and BIND, including DNS terminology, concepts, and operation.

“DNS and BIND (4th Edition)” by Paul Albitz and Cricket Liu – This book covers the principles and operation of DNS, as well as practical guidance on DNS configuration, maintenance, and troubleshooting.

“DNS and BIND: The Cricket Liu Guide” by Cricket Liu – This book provides an in-depth guide to DNS and BIND, including DNS architecture, zone file syntax, and advanced DNS topics.

List of Payload for DNS

Malicious domain names: Attackers can use domain names that are similar to legitimate ones to trick users into visiting their fake websites or to conduct phishing attacks.

DNS amplification attacks: Attackers can exploit misconfigured DNS servers to amplify the volume of traffic directed at a target, overwhelming its resources and causing a denial of service.

DNS cache poisoning: Attackers can inject false information into a DNS server’s cache, redirecting users to a fake website or preventing them from accessing legitimate ones.

Zone transfers: Attackers can use zone transfer requests to obtain a copy of a DNS server’s entire zone file, giving them valuable information about the network and potential targets.

DNS tunneling: Attackers can use DNS packets to bypass firewalls and exfiltrate data from a compromised system, making it difficult to detect and block.

DDoS attacks: Attackers can launch distributed denial of service attacks against DNS servers, overwhelming them with traffic and rendering them unavailable.

Subdomain enumeration: Attackers can use tools to search for subdomains of a target domain, which can reveal additional attack surfaces and potential vulnerabilities.

DNSSEC attacks: Attackers can exploit vulnerabilities in DNSSEC implementations to compromise the integrity of DNS records and redirect users to malicious websites.

Reverse DNS attacks: Attackers can use reverse DNS to map IP addresses to domain names, potentially revealing sensitive information about a target’s infrastructure.

Brute-force attacks: Attackers can use brute-force techniques to guess DNS names, IP addresses, and other parameters, allowing them to discover potential targets and weaknesses in the network.

Mitigation

  1. DNS Security Extensions (DNSSEC) is a set of protocols that are used to secure the DNS protocol. DNSSEC adds digital signatures to DNS data to ensure its authenticity and integrity.

  2. DNS filtering is a technique that is used to block access to malicious websites. This technique is used by firewalls, routers, and other security devices to prevent users from accessing harmful sites.

  3. Rate limiting is a technique that is used to limit the number of DNS requests that a server can receive from a single IP address. This technique is used to prevent DNS flooding attacks.

  4. Firewall rules can be configured to restrict traffic to and from DNS servers. This can help to prevent attacks on DNS servers.

  5. Two-factor authentication can be used to secure access to DNS servers. This technique requires users to provide two forms of authentication before they can access the DNS server.

  6. DNS software should be regularly patched to fix known vulnerabilities. This can help to prevent attackers from exploiting known vulnerabilities.

  7. DNS servers should be regularly monitored to detect and respond to attacks. This can help to minimize the impact of attacks and prevent future attacks.

  8. Access to DNS servers should be restricted to authorized personnel only. This can help to prevent unauthorized access to DNS servers.

  9. DNS traffic should be encrypted to prevent eavesdropping and man-in-the-middle attacks.

  10. DNS servers should be configured in a redundant manner to ensure that DNS services are always available. This can help to prevent DNS outages and ensure the availability of DNS services.

Conclusion

DNS is an essential protocol that translates domain names into IP addresses and is fundamental to the proper functioning of the Internet. To protect DNS infrastructure from cyber attacks, it’s important to implement security measures such as DNSSEC, firewalls, intrusion detection/prevention systems, secure protocols, and regular software updates. Organizations must also train personnel and conduct security audits to identify potential vulnerabilities and gaps in the DNS infrastructure. Overall, DNS security is critical to overall cybersecurity and the reliability and availability of online services.

Other Services

Ready to secure?

Let's get in touch