DNS - Setting the Record Straight

The domain name systems, more commonly referred to as DNS is essentially a phone book of the Internet. Ler's take a deep dive into DNS....

a month ago

Latest Post DNS - Setting the Record Straight by Andy Gill

Following my deep dive on nmap which you can read here, comes a second deep dive but this time into the wonderful world of DNS, how it works, how to setup different records, what they mean etc. It is such a multifaceted subject, this blog post will not cover every in and out as otherwise it'd span several thousand pages and words. Instead my aim is to cover off the basics and some known attacks/ways to secure and exploit weaknesses.

WTF is DNS?

The Domain Name System{s}(DNS) is essentially a phonebook of the Internet. To access information and websites online, this is achieved via the use of domain names, like zsec.uk. Web browsers(Browsers) interact with Internet Protocol (IP) addresses. The service translates human readable domain names into computer readable IP addresses to enable browsers to load resources on the Internet.

Every device connected to the Internet will have a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as 10.10.200.1 (in IPv4), or more complex newer alphanumeric IP addresses such as FE80::0202:B3FF:FE1E:8329 (in IPv6).

How Does It Work?

DNS as described above basically translates domain names into ip addresses, a DNS lookup(i.e how you browse to a site), can be split up into a series of steps;

  1. A user types ‘zsec.uk’ into their web browser and the request travels into the Internet and is received by a DNS recursive resolver.
  2. The resolver then queries a DNS root nameserver(explained below) (.).
  3. The root server then takes the request and responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com, .uk or etc), which stores the information for the domains belonging to that TLD(i.e any .uk domain for the .uk TLD DNS Server). When searching for zsec.uk, our request is pointed toward the .uk TLD.
  4. The resolver then makes a request to the .uk TLD server. Which then responds with the IP address of the domain's name server, zsec.uk.
  5. Lastly, the recursive resolver sends a query to the domain’s nameserver. The IP address for blog.zsec.uk is then returned to the resolver from the nameserver.
  6. The DNS resolver then responds to the web browser with the IP address of the domain requested initially and then the browser makes a request to the IP address.
  7. Finally, the server at that IP returns the webpage to be rendered in the browser and the browser renders it.

There are four separate types of server involved in loading a web page, a DNS recursor and three different name servers:

  1. DNS recursor - A DNS recursor is designed to receive queries and lookups from applications such as web browsers. Normally the recursor is then responsible for making additional requests in order to satisfy the client’s DNS query. For example if you want to browse to blog.zsec.uk, a recursor will go away and make the other requests required to gain information to render and load the site. The other requests are made to the root, TLD and authorative name servers which are described below.

  2. Root nameserver - The root server is the first step in translating (resolving) human readable host names into IP addresses. It is similar to an index in a library that points to different racks of books - typically it serves as a reference to other more specific locations of information.

  3. Top Level Domain(TLD) nameserver - The top level domain server (TLD) can be thought of as a specific aisle of books in a library. This nameserver is the next step in the search for a specific IP address, and it hosts the last area of a hostname (In zsec.uk, the TLD server is “uk”).

  4. Authoritative nameserver - This final nameserver can be thought of as a dictionary on a rack of books, in which a specific name can be translated into its definition. The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor (the librarian) that made the initial request.

Different Record Types

Now that we're all on the same page as to how DNS works and what it is, next up is the different types of record. Basically when you do a DNS lookup, normally your browser will be looking for an IP address to render a site however DNS is much more feature rich. It has other types of records that can be returned based on the type of lookup.

There are a few different types of DNS record, a quick overview of each is explained in the list below.

There are many more DNS records but the above are the most commonly used or referred to.

Facilitating Attacks with DNS

Now that you know how this all works, next I'll touch on some of the attacks and info that an attacker can gain from DNS enumeration.

DNS Enumeration

There are a few techniques that can be leveraged to use DNS as a reconnaicence tool, these are detailed below. While these are not exploits, they leverage functionality for malicious purposes.

Zone Transfers

A zone transfer is a method that an administrator can leverage to replicate DNS databases across a group of DNS servers. The actual method for a zone transfer is perfectly fine between DNS servers as it is intended to share zones information, they can leak a lot of information that would otherwise not be available to an attacker.

While DNS records are not sensitive individually, if an attacker manages to obtain a copy of the entire DNS zone for a domain they can proceed to obtain a complete listing of all the hosts associated on that particular zone and thus leverage this to find interesting looking sub domains.

Subdomains

Subdomain enumeration outside of a zone transfer can be achieved by querying a DNS resolver with a list of names, if the name is valid the resolver will show an associated DNS record. Subdomain enumeration is an essential part of conducting recon. Attackers typically map out the digital footprint of the target in order to find weak spots such as interesting domain names, or records pointing to internal hostnames which could be leveraged for accessing an internal network.

Attacking Different Records

There are a multitude of different attacks that can be carried out against speciifc DNS records, ranging from subdomain takeovers through to commmand and control over DNS. Threat actors and attackers are always looking for different new methods for attacks. A few examples of attack types include:

There are many other attacks and techniques that leverage DNS and new ones are being discovered all the time.

Hopefully the above guide has been a handy reference point for anyone learning about the differences in records and other attacks. Part 2 of this post will follow soon, which dives into SPF, DKIM and DMARC. Similar to the bottom part of this post, the next post will explain what they are and how attacks can be facilitated.

Andy Gill

Published a month ago

Subscribe to our newsletter

Recieve news directly to your email.

ZeroSec - Adventures In Information Security © 2019.