# DNS (Port 53) ## What is DNS? DNS stands for Domain Name System, it is a hierarchical, distributed naming system that translates domain name into IP addresses. It acts as a phone book. for example: ``` fox.com -> 192.168.1.1 (IPv4) fox.com -> 2400:cb00:2048:1::c629:d7a2 (IPv6) ``` Each machine connected to the internet has a unique IP address which other machine use to find that device. "fox.com" is also running on a machine that has the IP 192.168.1.1 (example) but how will you remember the IP to search it? That's where DNS comes, DNS eliminates the need to remember an IP address. ### How does DNS server work? When you search hostname or domain on browser, the DNS translate it to IP address (could be IPv4 or IPv6) and fetches and returns the requested data. When the request is made by a user to search a domain from web browser, the browser first looks in local caches for IP locally, if not found then browser hits the DNS resolver that looks for the IP address that is assigned to that domain in it's database. The resolver is a server provided by our Internet service provider(ISP) or public DNS service like Google DNS (8.8.8.8). Mostly companies don't allow direct search on IP (hidden in most case for security purpose), for example if you somehow get the IP of the domain and search the IP directly, you might get a result stating that you are not allowed to connect to the website as you requested IP directly. Also by searching IP directly will skip the DNS resolution. Similarly, some web application only allow to be discovered using IP addresses directly. There are 4 DNS servers involved that fetches the data you search over the internet: * DNS Recursor: This server is designed to receive queries from user's machines through apps such as web browsers. If no cached data exist of the requested queries, it then forwards the request to Root nameserver. * Root Nameserver: This is the server that knows where IP of request domain can be found. It directs the query to TLD name sever which is responsible for ".com" . If the searching domain is ".org" then the query will direct to TLD name server which is responsible for "org". It acts as a library that tells the resolver which TLD server to query next. * TLD Nameserver: The top-level domain (TLD) is the server that handles domain names that ends with ".com" and know where to find the authoritative name server for requested domain. * Authoritative Nameserver: This is the server that stores the DNS records for that specific domain. It will responds to the DNS recursor with the exact IP address for the requested domain. Recursor will send back the IP address to the web browser which will connect you to the domain name. The process that happened with these 4 DNS server is called DNS resolution. ### DNS Record Types * A record - It stores IPv4 addresses, reveals server IP. * AAAA record - It stores IPv6 addresses, sometime admin forgets to apply security policies on IPv6, although they do configure IPv4. * CNAME record - Canonical Name (CN) record forward one domain or subdomain to another domain. So, we can possible takeover a subdomain. * MX record - Mail Exchange (MX) records that stores the instructions for directing emails to mail servers using the SMTP protocol. It stores values like "mail.fox.com". So it can reveal the mail server infrastructure using phising or spoofing attacks. * TXT record - Allows an admin to store text notes in the record, these are used for email security. Can lead to sensitive info leakage. * NS record - Nameserver (NS) record stores the name server for a DNS entry. * SOA record - Start of Authority (SOA) record contains critical info about DNS zone that plays crucial role in zone transfer between DNS servers. It also stores admin info about a domain. * SRV record - Service (SRV) records store info about host and port details for specific internet service like email, VoIP or others. Some protocols like LDAP require valid SRV record to work properly. Can discover internal running services. * PTR record - Pointer (PTR) records are the inverse of A or AAAA records, means they provide a domain name in reverse-lookups. There are more uncommon DNS records but the above mentioned store crucial info about a domain. ### Why DNS matters in Pentesting If DNS misconfigured at industry level: * By reconnaissance you can discover subdomain, even entire infrastructure by reading DNS records. * If zone transfer is possible it can lead to exploitation. * Subdomain takeover. * DNS tunnelling. * DNS spoofing. * DNS poisoning. You can literally have sensitive information about the domain and find more vulnerabilities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kaizoku.gitbook.io/notes/protocols/dns-port-53.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.