Hello world, and welcome to HaXeZ. Today I want to talk about the Domain Name System (DNS). I know, I know, most of you probably already know how DNS works. However, I’m going to be writing an article soon about Firewall Evasion and Data Exfiltration through DNS Tunnelling and I needed to brush up on my DNS knowledge. Never wanting to waste an opportunity, I thought it would make for a good blog post and video so here we are.
What Is The Domain Name System?
Domain Name System or DNS is a hierarchical system for translating text to IP addresses. It relies on various nameservers at various levels. A nameserver is a server that holds records for domains whether they are top-level domains (TLD) or fully qualified domains (FQDN). At the very top of the hierarchy are the root servers. These root servers hold the DNS record information for the top-level domains. This information is stored in something called a zone file. You can perform a DNS zone transfer using many tools, the example below uses Nmap.
sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja
The zone file contains entries such as the nameservers for the top-level domains. Underneath the root nameservers are the top-level domain nameservers. The same principle applies here in that the top-level domain nameservers contain information about the fully qualified domain nameservers. At the bottom of the hierarchy is the domain’s authoritative nameservers which contain records such as A, MX, NS, TXT, and many others.
If we look at the web address haxez.org we can see that it has multiple sections. You may not know about the first section as it doesn’t tend to be represented by anything. In some cases, it can be represented by a full stop but most Domain Name System nameservers don’t require the full stop in order for it to work. The full stop comes at the end of the ‘.ORG’ section and signifies a root nameserver. Root nameservers hold the IP addresses of the top-level domain (TLD) (COM, NET, ORG,) nameservers. The ‘ORG’ section of the address is a top-level domain. The ‘haxez’ portion of the address is the domain. Anything that comes before haxez.org would be a subdomain. For example, www.haxez.org where www is the subdomain, and haxez is the fully qualified domain.
How Does The Domain Name System Work?
When you type a URL into your browser a number of things happen. Using various online resources I’ve broken it down into 10 steps. I’ve overly simplified the process but there is a lot more going on such as caching, virtual host magic, TCP handshakes, and GET requests.
- The client queries the DNS resolver for the location of the domain name,
- The DNS resolver queries a root nameserver for the location of the top-level domain (.COM, .ORG, .CO.UK, .NET) nameserver,
- The root nameserver responds to the DNS resolver with the IP address of the top level domain nameserver,
- The DNS resolver then queries the top level domain nameserver for the location of the domain’s authoritative nameserver,
- The top-level domain nameserver tells the DNS resolver the IP address of the authoritative nameserver.
- The DNS Resolver then queries the authoritative nameserver for the IP address of the domain.
- The authoritative nameserver tells the DNS resolver the IP address of the domain,
- The DNS resolver responds back to the client with the IP address of the domain,
- The client then sends the request to the target IP address,
- The target IP address would then respond with the information the client requested.
Let’s start at the top! using the tool nslookup we can query the root nameservers. We simply set the type of query to the nameserver and then use a full stop to specify the root servers. As you can see from the output below, nslookup returns all the root server nameservers.
┌─[joe@Parrot]─[~] └──╼ $nslookup > set type=ns > . Server: 192.168.0.1 Address: 192.168.0.1#53 Non-authoritative answer: . nameserver = c.root-servers.net. . nameserver = d.root-servers.net. . nameserver = e.root-servers.net. . nameserver = f.root-servers.net. . nameserver = g.root-servers.net. . nameserver = h.root-servers.net. . nameserver = i.root-servers.net. . nameserver = j.root-servers.net. . nameserver = k.root-servers.net. . nameserver = l.root-servers.net. . nameserver = m.root-servers.net. . nameserver = a.root-servers.net. . nameserver = b.root-servers.net. Authoritative answers can be found from:
In order to query the root server nameservers, we need to find out what their IP addresses are. In order to do that we set the query type to an A record. An A record translates a word to an IP address.
> set type=a > a.root-servers.net Server: 192.168.0.1 Address: 192.168.0.1#53 Non-authoritative answer: Name: a.root-servers.net Address: 220.127.116.11
Next, we need to find the nameservers of the top-level domain. In order to do that, we first set our server to the IP address that we just obtained from our A record query. Next, we set the record type to the nameserver and then query the “.COM” top-level domain. However, ensure you put a full stop after it.
> server 18.104.22.168 Default server: 22.214.171.124 Address: 126.96.36.199#53 > set type=ns > com. ;; Truncated, retrying in TCP mode. Server: 188.8.131.52 Address: 184.108.40.206#53 Non-authoritative answer: *** Can't find com.: No answer Authoritative answers can be found from: com nameserver = e.gtld-servers.net. com nameserver = b.gtld-servers.net. com nameserver = j.gtld-servers.net. com nameserver = m.gtld-servers.net. com nameserver = i.gtld-servers.net. com nameserver = f.gtld-servers.net. com nameserver = a.gtld-servers.net. com nameserver = g.gtld-servers.net. com nameserver = h.gtld-servers.net. com nameserver = l.gtld-servers.net. com nameserver = k.gtld-servers.net. com nameserver = c.gtld-servers.net. com nameserver = d.gtld-servers.net. e.gtld-servers.net internet address = 220.127.116.11 e.gtld-servers.net has AAAA address 2001:502:1ca1::30 b.gtld-servers.net internet address = 18.104.22.168 b.gtld-servers.net has AAAA address 2001:503:231d::2:30 j.gtld-servers.net internet address = 22.214.171.124 j.gtld-servers.net has AAAA address 2001:502:7094::30 m.gtld-servers.net internet address = 126.96.36.199 m.gtld-servers.net has AAAA address 2001:501:b1f9::30 i.gtld-servers.net internet address = 188.8.131.52 i.gtld-servers.net has AAAA address 2001:503:39c1::30 f.gtld-servers.net internet address = 184.108.40.206 f.gtld-servers.net has AAAA address 2001:503:d414::30 a.gtld-servers.net internet address = 220.127.116.11 a.gtld-servers.net has AAAA address 2001:503:a83e::2:30 g.gtld-servers.net internet address = 18.104.22.168 g.gtld-servers.net has AAAA address 2001:503:eea3::30 h.gtld-servers.net internet address = 22.214.171.124 h.gtld-servers.net has AAAA address 2001:502:8cc::30 l.gtld-servers.net internet address = 126.96.36.199 l.gtld-servers.net has AAAA address 2001:500:d937::30 k.gtld-servers.net internet address = 188.8.131.52 k.gtld-servers.net has AAAA address 2001:503:d2d::30 c.gtld-servers.net internet address = 184.108.40.206 c.gtld-servers.net has AAAA address 2001:503:83eb::30 d.gtld-servers.net internet address = 220.127.116.11 d.gtld-servers.net has AAAA address 2001:500:856e::30
We get a lot of results but we should be able to set any of these to our DNS resolver in order to query it for a specific domain nameserver. Set the server to one of the IP addresses listed above and then set the type to nameserver again. Then, choose a domain and punch It in to find its nameservers.
> server 18.104.22.168 Default server: 22.214.171.124 Address: 126.96.36.199#53 > set type=ns > google.com. Server: 188.8.131.52 Address: 184.108.40.206#53 Non-authoritative answer: *** Can't find google.com.: No answer Authoritative answers can be found from: google.com nameserver = ns2.google.com. google.com nameserver = ns1.google.com. google.com nameserver = ns3.google.com. google.com nameserver = ns4.google.com. ns2.google.com has AAAA address 2001:4860:4802:34::a ns2.google.com internet address = 220.127.116.11 ns1.google.com has AAAA address 2001:4860:4802:32::a ns1.google.com internet address = 18.104.22.168 ns3.google.com has AAAA address 2001:4860:4802:36::a ns3.google.com internet address = 22.214.171.124 ns4.google.com has AAAA address 2001:4860:4802:38::a ns4.google.com internet address = 126.96.36.199
Finally, we can now set our DNS resolver to one of googles nameservers and query it to find A records such as mail. This could of course be scripted to automatically run through each of these steps automatically and perform a subdomain brute force attack against the servers. I believe there is already a tool called Fierce that does exactly that.
> server 188.8.131.52 Default server: 184.108.40.206 Address: 220.127.116.11#53 > set type=a > mail.google.com. Server: 18.104.22.168 Address: 22.214.171.124#53 Name: mail.google.com Address: 126.96.36.199
I know this isn’t hacking but it’s essential to have a good understanding of the technologies that make the internet and the world wide web possible. There is a lot more to DNS than I’ve covered here. I haven’t discussed the various record types like MX, TXT, and CNAME that can be added to a zone file. I haven’t talked about propagation and caching.
DNS is such as fascinating subject to study because the problem is always DNS. Joking aside, without DNS we would have to remember the IP addresses of every website we wanted to visit. Oh, and those root servers at the top of the tree, if they go down then so does the internet. No more name resolution means anything that has been developed with resources being pulled via domain names will no longer work. It’s a terrifying prospect, especially with all the recent talk of cyber armageddon from the World Economic Forum. If someone with a zero-day were to get into those root servers and mess up the zone files then it would cause chaos. Hopefully, there is some hidden redundancy and backups to mitigate that possibility. Those 13 nameservers are the unsung heroes of the internet and to them I say, thank you. Keep computing away you absolute legends.