DNS Verification Cheat Sheet
August 9, 2022After you have setup your DNS Server, it’s very important to check that the entries which are populated to the Internet are correct.
You can use the following checklist using nslookup.
Start nslookup for the desired DNS Server
nslookup
> server 193.247.121.196
Default Server: rabbit.akadia.ch
Address: 193.247.121.196
Check – Start of Authority (SOA)
> set q=SOA
> akadia.com
Server: rabbit.akadia.ch
Address: 193.247.121.196
akadia.com
origin = rabbit.akadia.com
mail addr = postmaster.akadia.com
serial = 2000061501
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
akadia.com nameserver = rabbit.akadia.com
akadia.com nameserver = lila.thenet.ch
rabbit.akadia.com internet address = 193.247.121.196
lila.thenet.ch internet address = 193.135.252.2
Check the Nameservers (NS)
> set q=NS
> akadia.com
Server: rabbit.akadia.ch
Address: 193.247.121.196
akadia.com nameserver = lila.thenet.ch
akadia.com nameserver = rabbit.akadia.com
lila.thenet.ch internet address = 193.135.252.2
rabbit.akadia.com internet address = 193.247.121.196
netstat -an
netstat -tulpn | grep :53
# netstat –atve
Unix
tail –f /var/log/message
You can check zone file syntax and /etc/named.conf file using following utilities.
named-checkconf command is named (BIND) configuration file syntax checking tool.
# named-checkconf /etc/named.conf
Output:
/etc/named.conf:32: missing ‘;’ before ‘zone’
Note:
If named-checkconf did not find any errors it will not display in output on screen.
Check zone file syntax for errors. named-checkzone is zone file validity checking tool. named-checkzone checks the syntax and integrity of a zone file.
It performs the same checks as named does when loading a zone.
This makes named checkzone useful for checking zone files before configuring them into a name server.
# named-checkzone localhost /var/named/localhost.zone
OR
#named-checkzone nixcraft.org /var/named/nixcraft.org.zone
Output:
zone nixcraft.org/IN: loaded serial 12
OK
List IP address associated with host names:
# host nixcraft.org
OR
# host www
Output:
www.nixcraft.org has address 192.168.0.6
Perform a zone transfer for zone name using -l option:
# host -l nixcraft.org
DNS (Domain Name System) is an important component of any reconnaissance or discovery phase of an attack on internet systems. DNS controls routing, but also enumerates all the host URLs on a particular domain.
DNS specifies host names (CNAME and A records), default mail servers (MX records) and other name servers (NS records). DNS normally responds to queries on UDP port 53, however, for large queries such as zone transfers, TCP port 53 is used.
Because DNS is hierarchical it is possible to query a DNS server about records that server may not actually possess. In these cases the request is forwarded to a server that can respond to the query. Because of this indirection, DNS lookups are a form of passive reconnaissance and these queries often escape unnoticed by a target.
The easiest way to collect full DNS data sets about a target URL is to simply perform a zone transfer request. A zone transfer request queries the DNS server for it’s entire listing of URLs and corresponding IP information.
Zone transfers are somewhat more intensive than normal DNS queries, so multiple concurrent zone transfers may induce a denial of service condition against a target. Note that sometimes your default name server may not allow zone transfers so you might have to send your query to the authoritative name server for a domain.
Queries from Windows
To perform a zone transfer on Windows use the ‘nslookup’ command. In the following example we’ll attempt a zone transfer from wikipedia.org. To start well fire up nslookup from the command prompt, this will begin nslookup interactively:
C:\> nslookup
Default Server: NS1.madirish.net
Address: 10.0.0.5
Once nslookup is started you can type ‘help’ to see all of the commands that are available.
First we’ll set the query type to “any”, meaning that we want to get all records for an associated domain. You could also set the type to “mx” to view mail servers for a domain, or “ns” to view name servers, and so on.
> set type=any
Next we’ll attempt the zone transfer. To do this we’ll utilize the “ls” command with the “-d” flag. You can optionally redirect the output of this command to a file, but for now we’ll just list the output in the console.
> ls -d wikipedia.org
[NS1.madirish.net]
*** Can't list domain wikipedia.org: BAD ERROR VALUE
This error message indicates that our default name server isn’t allowing the zone transfer. To get around this limitation we can query the authoritative name server for wikipedia.org directly. First, however, we’ll have to find out what the authoritative name servers are. To do this we’ll simply query the domain:
> wikipedia.org
Server: NS1.madirish.net
Address: 10.0.0.5
Non-authoritative answer:
wikipedia.org internet address = 208.80.152.2
wikipedia.org nameserver = ns2.wikimedia.org
wikipedia.org nameserver = ns1.wikimedia.org
wikipedia.org nameserver = ns0.wikimedia.org
wikipedia.org nameserver = ns0.wikimedia.org
wikipedia.org nameserver = ns2.wikimedia.org
wikipedia.org nameserver = ns1.wikimedia.org
ns0.wikimedia.org internet address = 208.80.152.130
ns2.wikimedia.org internet address = 91.198.174.4
ns1.wikimedia.org internet address = 203.212.189.252
The name servers for wikipedia.org are all listed out. Once we switch the specifications in nslookup so they query the target server directly we can attempt the zone transfer again.
> server ns2.wikimedia.org
Default Server: ns2.wikimedia.org
Address: 91.198.174.4
> ls -d wikipedia.org
This will spit out a whole long list of records, probably too much to actually view as they’ll scroll by and fill up the command prompt’s buffer. To save these records we can redirect them to a file:
> ls -d wikipedia.org > wikipedia.txt
[ns2.wikimedia.org]
#################
Received 1700 records.
Now we can simply browse to the text file output and browse through the records.
Queries from Linux
On a Linux platform there are several alternatives to nslookup that are also available.
The dig and host command are both useful for querying DNS records.
To use the host command to attempt a zone transfer use:
$ host -l -v -t any wikipedia.org
The “-l” flag is for list mode, or to request a zone transfer. The “-v” flag is for verbose output.
The “-t any” flag specifies that we want records of any type. This request, however, will fail in the same way as our nslookup if our default server does not allow zone transfers.
In this case we again have to specify that we want to query the wikipedia authoritative server by listing it last, like so:
$ host -a -l wikipedia.org ns2.wikimedia.org
In the preceding query we use the “-a” flag, which is the equivalent of the “-v” and “-t any” flags. The host command is also useful because with the -T flag it will make queries using TCP rather than the default UDP.
Linux platforms may also include the dig command. To perform queries using dig simply use:
$ dig @ns2.wikimedia.org wikipedia.org axfr
DNS Security Concerns
An attacker can use zone transfer lists to enumerate potential targets. Because this information leak can present a security problem, many DNS servers are configured specifically to prohibit zone transfers.
In these cases they will only respond to direct queries for a specific domain name (or record type, such as MX). Zone transfers can be prohibited on most DNS servers, with the exact procedure varying depending on platform.