pentesting-dns

star 618

Testing DNS services (default 53/TCP+UDP, 5353/UDP mDNS) for zone transfers (AXFR), version/banner disclosure, subdomain and reverse-lookup enumeration, open recursion/amplification, DNSSEC and CAA misconfiguration, and Active Directory SRV record discovery during authorized engagements.

xalgord By xalgord schedule Updated 6/6/2026
play_arrow Run Skill in Manus View GitHub

name: pentesting-dns description: Testing DNS services (default 53/TCP+UDP, 5353/UDP mDNS) for zone transfers (AXFR), version/banner disclosure, subdomain and reverse-lookup enumeration, open recursion/amplification, DNSSEC and CAA misconfiguration, and Active Directory SRV record discovery during authorized engagements. domain: cybersecurity subdomain: network-services-pentesting tags:

  • penetration-testing
  • network-services
  • dns version: '1.0' author: xalgorix license: Apache-2.0

Pentesting DNS (port 53)

When to Use

  • Default port 53/tcp and 53/udp (queries on UDP, zone transfers and large answers on TCP); 5353/udp for mDNS/zeroconf.
  • When nmap/banner shows domain, e.g. 53/tcp open domain Microsoft DNS 6.1.7601 ... Windows Server 2008 R2 SP1.
  • For mapping an organization's attack surface (subdomains, mail/AD infrastructure) and for finding misconfigured authoritative/recursive servers.

Quick Enumeration

# Version banner (works on most BIND servers)
dig version.bind CHAOS TXT @<DNS_IP>
nmap -p53 --script dns-nsid <DNS_IP>      # also grabs NSID/version

# Default DNS NSE sweep
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

# Record lookups
dig ANY  @<DNS_IP> <DOMAIN>     # everything the server will disclose
dig A    @<DNS_IP> <DOMAIN>
dig AAAA @<DNS_IP> <DOMAIN>
dig TXT  @<DNS_IP> <DOMAIN>
dig MX   @<DNS_IP> <DOMAIN>
dig NS   @<DNS_IP> <DOMAIN>
dig -x 192.168.0.2 @<DNS_IP>    # reverse lookup

# Interactive
nslookup
> SERVER <DNS_IP>
> <IP_MACHINE>                   # reverse lookup

Critical: Checks Most Often Missed

  • Zone transfer (AXFR) — the single highest-value miss; dumps the entire zone (every host/record). Try with and without a guessed domain:
dig axfr @<DNS_IP>                 # try without a domain
dig axfr @<DNS_IP> <DOMAIN>        # try guessing the domain
fierce --domain <DOMAIN> --dns-servers <DNS_IP>   # AXFR against every NS, then dict attack
dnsrecon -d active.htb -a -n <DNS_IP>             # zone transfer
  • Open recursion / amplification — if recursion is on, the server can be abused for reflected DDoS using big ANY/DNSSEC answers.
  • Active Directory SRV records_gc, _ldap, _kerberos, _kpasswd reveal domain controllers.
  • DNSSEC/NSEC zone walking, lame/out-of-sync delegation, overly broad CAA issue/issuewild, and very low TTLs (accelerate malicious record propagation).

How to CONFIRM

  • AXFR success: dig axfr returns multiple records and a closing SOA instead of Transfer failed/connection timed out.
  • Recursion available: dig google.com A @<IP> response flags contain ra (recursion available).
  • AD environment: SRV queries return _kerberos._tcp/_ldap._tcp targets pointing at DCs.
  • Version disclosure: dig version.bind CHAOS TXT returns a version string instead of refused/empty.

Workflow

Step 1: Enumerate

Fingerprint with dig version.bind CHAOS TXT @<DNS_IP> / fpdns / nmap --script dns-nsid. Run the default *dns* NSE sweep. Identify whether the server is authoritative, recursive, or caching.

Step 2: Authenticate / unauth access

DNS queries are unauthenticated. Test the trust boundary instead: attempt AXFR (relies on a permissive allow-transfer), and test recursion (allow-recursion/allow-query) by querying an external domain and checking the ra flag.

Step 3: Exploit / Extract

  • Pull the zone via AXFR if allowed.
  • Brute force subdomains and reverse ranges when AXFR is blocked:
for sub in $(cat <WORDLIST>); do dig $sub.<DOMAIN> @<DNS_IP> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt; done
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <DNS_IP>
dnsrecon -r 127.0.0.0/24 -n <DNS_IP>     # reverse sweep
dnsdict6 -s -t <domain>                   # IPv6 (AAAA) brute force
  • Enumerate AD/service records:
dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"
nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=<DOMAIN> <NS_IP>  # NSEC walk

Step 4: Post-access / pivot

Use recovered hostnames/IPs (especially internal-IP subdomains) to reach internal services; if a subdomain resolves to an internal IP, do reverse-DNS brute forcing of that range against the zone's NS. Send mail to a non-existent address at the domain to harvest internal server names/IPs from the NDN bounce headers.

Key Concepts

Concept Description
AXFR Asynchronous Full Transfer Zone — dumps an entire zone if allow-transfer is permissive
Authoritative vs recursive/caching Authoritative answers for its zones; recursive resolves for clients (recursion = amplification risk)
ra flag "Recursion available" in the response; indicates open recursion
SRV records _service._proto records locating servers (AD DCs via _kerberos/_ldap/_gc)
DNSSEC / NSEC Signed zones; NSEC chains can be walked to enumerate names
CAA Authorizes which CAs may issue certs; over-broad policy widens cert-abuse surface

Tools & Systems

Tool Purpose
dig All record types, AXFR, version.bind, recursion/DNSSEC checks
nslookup Interactive queries / reverse lookups
fierce AXFR attempts against every NS then dictionary brute force
dnsrecon Zone transfer, reverse sweeps, subdomain brute force
dnsenum Subdomain enumeration with wordlists
dnscan / dnsdict6 Recursive and IPv6 subdomain brute forcing
nmap dns- NSE* dns-nsid, dns-srv-enum, dns-nsec-enum, recursion checks
Metasploit auxiliary/gather/enum_dns, auxiliary/scanner/dns/dns_amp

Common Scenarios

Scenario 1: Open AXFR

dig axfr @<DNS_IP> <DOMAIN> succeeds and dumps the full zone, exposing every internal hostname and IP — instant attack-surface map.

Scenario 2: AD domain controller discovery

SRV queries for _ldap._tcp and _kerberos._tcp return the FQDNs and ports of domain controllers, seeding AD attacks.

Scenario 3: Open recursion amplifier

dig google.com A @<IP> shows the ra flag; the resolver can be abused for ANY/DNSSEC reflection amplification.

Output Format

## DNS Finding

**Service**: DNS (53/tcp+udp)
**Severity**: <High|Medium|Low>
**Target**: <DNS_IP>  Software: <BIND x.y | Microsoft DNS ...>

### Evidence
- AXFR allowed: dig axfr @<IP> <DOMAIN> returned full zone (<N> records)
- Recursion available (ra flag) -> amplification risk
- AD SRV records disclosed DCs: <hostnames>
- version.bind: <version string>

### Reproduction
dig axfr @<DNS_IP> <DOMAIN>
dig google.com A @<DNS_IP>     # check ra flag

### Recommendation
1. Restrict `allow-transfer` to secondary NS only; block AXFR from untrusted IPs
2. Disable recursion on authoritative servers (`allow-recursion`/`recursion no`)
3. Hide version (`version "";` in BIND options)
4. Tighten CAA, ensure DNSSEC key rollover (DS/CDS) is consistent
Install via CLI
npx skills add https://github.com/xalgord/xalgorix --skill pentesting-dns
Repository Details
star Stars 618
call_split Forks 109
navigation Branch main
article Path SKILL.md
More from Creator
xalgord
xalgord Explore all skills →