53 - DNS

Zone Transfer

$ dig axfr @<DNS_IP> #Try zone transfer without domain
$ dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
$ host -t axfr trick.htb 10.129.37.48
$ nslookup -query=AXFR domain.com 127.0.0.1

$ dnsrecon -d active.htb -a -n <IP_DNS>
$ fierce --domain <DOMAIN> --dns-servers <DNS_IP> #Will try toperform a zone transfer against every authoritative name server and if this doesn't work, will launch a dictionary attack

Reverse lookup

$ nslookup  <IP address>
$ dig -x 8.8.8.8
[... snip ...]
8.8.8.8.in-addr.arpa.    300    IN    PTR    dns.google.

$ host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer dns.google.

Interesting Files

host.conf
/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*

Last updated 1 year ago