DNS is one of my favorite sources of information gathering. DNS offers a variety of information about public (and sometimes private!) organization servers, such as IP addresses, server names, and server functions.
Interacting with a DNS Server
A DNS server will usually divulge DNS and mail server information for the domain for which it is authoritative. This is a necessity because public requests for mail server addresses and DNS server addresses make up the basic internet experience.
You can interact with a DNS server using various DNS clients such as host, nslookup and dig. Let’s examine nslookup first. By simply typing nslookup, you are put in an nslookup prompt, and you forward any DNS request to the DNS server, which is set up in your TCP/IP settings.
For example:
root@bt:~# nslookup
> www.checkpoint.com
Server: 24.224.127.143
Address: 24.224.127.143#53
Non-authoritative answer:
Name: www.checkpoint.com
Address: 216.200.241.66
>
In this example, you’ve connected to the local DNS server (24.224.127.143) and asked it to resolve the A record for www.checkpoint.com. The DNS server replies with the address 216.200.241.66.
MX Queries
To identify the MX server (mail servers) belonging to an organization, you can simply ask the DNS server to show all the MX records available for that organization’s domain:
> set type=mx
> checkpoint.com
Server: 24.224.127.143
Address: 24.224.127.143#53
Non-authoritative answer:
checkpoint.com mail exchanger = 12 cale.checkpoint.com.
checkpoint.com mail exchanger = 15 usmail-as.zonelabs.com.
Authoritative answers can be found from:
checkpoint.com nameserver = ns8.checkpoint.com.
checkpoint.com nameserver = ns6.checkpoint.com.
cale.checkpoint.com internet address = 194.29.32.199
ns6.checkpoint.com internet address = 194.29.32.199
ns8.checkpoint.com internet address = 216.228.148.29
>
Notice the two mail servers that were listed: mfnbm2 cale.checkpoint.com and usmailas. zonelabs.com. Each server has a “cost” associated with it—12 and 15, respectively. This cost indicates the preference of arrival of mails to the mail servers listed (lower costs are preferred). From this you can assume that cale is the primary mail server and that the other is a backup in case cale fails.
NS Queries
With a similar query, you can identify all the DNS servers authoritative for a domain:
> set type=ns
> checkpoint.com
Server: 24.224.127.143
Address: 24.224.127.143#53
Non-authoritative answer:
checkpoint.com nameserver = ns8.checkpoint.com.
checkpoint.com nameserver = ns6.checkpoint.com.
Authoritative answers can be found from:
ns6.checkpoint.com internet address = 194.29.32.199
ns8.checkpoint.com internet address = 216.228.148.29
This query identifies two DNS servers serving the checkpoint.com domain: ns6 and ns8. This information can be useful later when you attempt to perform zone transfers.
0 comments:
Post a Comment