magnifying glass on white table
Sun Dec 18

Analyzing and Enumerating DNS Records

In the last post, It is mentioned a lot about DNS zone transfer. If you have read the post, you should have known that zone transfer is simply the process of copying a zone file. Performing zone transfer is actually harmless.

From the attackers’ perspective however, this zone file can be a “gold mine” as it may leak valuable information that can provide a better understanding of how the organization is structured thus giving them the idea of how the attack should be initiated.

Today, I will show you how you can do this and how you can analyze the information from this reconnaissance stage.

How to perform zone transfer?

In order to perform zone transfer, you can use applications that come pre- installed with Linux. In reality, there are some to use like dig, host and nslookup. The dig command will be the only one we use for now, as it gives a good idea of how it works. Here’s a brief explanation of dig.

Dig is the tool used for interrogating DNS servers for its record. By the definition, we know that the server stores this record in a zone file. Thus, dig is used for enumerating DNS records from the DNS server.

Also we will use a website called zonetransfer.me. I find this website very helpful especially for you who are just learning the basics. I’m not affiliated with this website, but if you want to support the website you can donate.

If you find yourself being redirected to another url when accessing the website, it is fine as the original domain is permanently moved. Thus, we can still use the aforementioned domain.

Without further ado, let’s get started.

Lists name servers

To perform the actual transfer, the very first thing you need to know is the name of the name server of your target domain. The server could be primary or secondary. Currently, you won’t have an idea of the name. To get the server name, you can use this command.

$ dig ns zonetransfer.me

This command basically lists all the name servers where this domain belongs. It will then produce the output, but for now, let’s focus on these lines.

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;zonetransfer.me.  IN NS
;; ANSWER SECTION:
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.

Here you get two name servers: nsztm1.digi.ninja. and nsztm1.digi.ninja.. You can choose one server.

Perform full zone transfer

Say that we want to use the first one. To perform full zone transfer we need to use AXFR.

$ dig axfr @nsztm1.digi.ninja. zonetransfer.me

After this, you will get the entire record.

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> axfr @nsztm1.digi.ninja. zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi to Josh and all his class"
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - [email protected]. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:[email protected]!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'><script>alert('Boo')</script>"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600

This is quite a lot of information. But, don’t worry…
Even though you don’t need to know everything from the output, knowing the purpose of each record can give you a brief overview of the organization. So, let’s pretend to be an attacker and start to analyze the record that could be useful.

Analyzing DNS Records

SOA

zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600

The details have been explained before. Although the actual record might be different, the concept is still the same, thus we can refer to this. For now, we will focus on the other records.

HINFO

zonetransfer.me. 300 IN HINFO "Casio fx-700G" “Windows XP”

This record gives the information about the hardware and the operating system used by our target. While it might seem trivial, it gives the attacker the idea of how to compromise the system. As an attacker, we can narrow down our “weapon of choices” as we know what system we are dealing with.

TXT

zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes"
DZC.zonetransfer.me. 7200 IN TXT “AbCdEfG”

This record contains data that can be arbitrarily added by the administrator. Some of the most common uses today for this record are spam email prevention and domain ownership verification. Just for your information, these lists have been filtered, so we now have a few of them which will probably be useful for us.

Based on the knowledge mentioned before, this section "google-site- verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" may refer to the actual verification code to prove the domain ownership. Next, we have acme- challenge. This challenge is related to SSL certificates (see more about encryption here and digital certificates [here](https://www.binaryte.com/blog/why-are-digital- certificates-important)). By checking the format, we may guess that it could be the token used to apply for an SSL certificate.

For the next one, we get pretty obvious information for contact. In some cases, it could be important for social engineering. The last one is TXT record setting for GoDaddy, thus we can tell that the certificate issuer used by the company is GoDaddy.

MX

zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.

The MX records are telling us where an email should go. Here we get Google, so you can expect what features are provided by Google SMTP server. By researching a little bit, you might know that at the very least, these servers are equipped with spam and virus checking, with additional phishing protection and email encryption.

A

zonetransfer.me. 7200 IN A 5.196.105.14
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
email.zonetransfer.me. 7200 IN A 74.125.206.26
home.zonetransfer.me. 7200 IN A 127.0.0.1
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
owa.zonetransfer.me. 7200 IN A 207.46.197.32
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14

The A records point out the actual IP address of the domain (or subdomain). From these records, we get some interesting data.

canberra-office, dc-office, office

These subdomains may correlate to the actual office based on the geolocation and the IP address. By checking this, we can assume that our target is the real office, so we can determine the most ideal time of the attack.

As an attacker, you don’t want your targets to notice anything weird happens on their network. Thus, you can choose weekend or approximately Friday night to launch the attack. As we know the location, we can determine the attacking timeframe by referencing the timezone.

intns1, intns2, email

The first two subdomains may refer to the IP address of the primary and secondary name server. The email subdomain refers to the IP address of Google SMTP server. We can skip them for now.

owa

OWA may stand for Outlook Web Access. It is basically a browser-based email client for Microsoft Outlook. This is quite an interesting finding because if we compare to the company MX records, all email should be going to Google mail server instead of Microsoft. At this point, we don’t have a clear picture of what it is really for.

vpn

Further investigation regarding this leads us to the new organization name, SoftLayer Technologies Inc. It could imply that the company uses the IaaS service from IBM as “SoftLayer Technologies Inc.” also referred to as “IBM SoftLayer”.

This subdomain may also provide access to the actual data center or point of presence. If we were right, we should usually have bypassed any security devices (like iDS and IPS) along the way once we bypassed this VPN server.

SRV

_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.

This record contains some data. So, let’s break things down.

  • _sip - service
  • _tcp - protocol
  • zonetransfer.me. - name
  • 14000 - time-to-live
  • IN - zone class
  • SRV - record type
  • 0 - priority
  • 0 - weight
  • 5060 - port
  • www.zonetransfer.com - target

First, the SIP service is most likely referred to as Session Initiation Protocol which is used for VoIP communication. The next one indicates the transport layer of this protocol. Then, we can focus on the port it uses, port 5060.

This service can use either port 5060 or 5061. It is important to note that port 5060 is not encrypted, while port 5061 is. Using particular tools, this port can be exploited if the attacker has some additional data like registered users credentials.

PTR

14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.

A PTR or pointer record is completely the opposite of the A record. The record has .IN-ADDR.ARPA as it is stored within ARPA top level domain. This is probably not so useful for us.

RP

rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.

RP stands for Responsible Person which provides you with contact information for the person responsible for this domain.

NAPTR

email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:[email protected]!" .

This record usually comes in combination with SRV records. We can skip it for now.

LOC

dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m

By breaking down this, we could retrieve the information in regard to the actual location.

  • dr.zonetransfer.me - owner
  • 300 - time-to-live
  • IN - class
  • LOC - record type
  • 53 - degrees latitude
  • 20 - minutes latitude
  • 56.558 - seconds latitude
  • N - cardinal direction
  • 1 - degrees longitude
  • 38 - minutes longitude
  • 33.526 - seconds latitude
  • W - cardinal direction
  • 0.00m - altitude in meters
  • 1m - size in meters
  • 10000m - horizontal precision (defaults to 10000m)
  • 10m - vertical precision (defaults to 10m)

Now we know the actual location. Because the coordinate is presented in degrees/minutes/seconds, we need to convert it first to latitude and longitude. To do this, you can use any online converter out there.

CNAME

staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.

CNAME (Canonical Name) records is basically an alias name of domain or subdomain. From the name, we presume that these two subdomains are used in the development phase where security usually is not the main concern. Thus, we can consider them as our target as well.

How to block publicly accessible zone transfer?

After all, you should now have an idea of how critical these data are supposed to be. Armed with this information, we know attackers can map the target network almost entirely. Yet, these data are often publicly exposed due to misconfiguration.

In the last post, we know that zone transfer utilizes port 53. To disable zone transfer from public access, you can close this port. Alternatively, you can bind the AXFR query to a specific IP address only, which restricts unauthorized access.

Conclusion

In this article, we have learned how to perform zone transfer using dig command and how to analyze the DNS records from the output. We have seen that zone transfer can reveal a lot of information about the target domain and its network structure, which can be useful for attackers to launch further attacks.

We have also learned how to block publicly accessible zone transfer by closing port 53 or binding the AXFR query to a specific IP address. Zone transfer is a powerful technique for reconnaissance, but it should be used with caution and only with permission from the domain owner.