OSINT: DNS

This is the quick-hit version of the Open Source Intelligence (OSINT) training I gave on using data from Domain Name Services (DNS) to profile an organization.  As with all of the formal training, you can use the below for a quick reference, or view the full presentation here.

DNS Record Types

While not comprehensive, the below constitutes a quick reference to the most common record types.  You can specify record types with the “dig” command inline by using this syntax:

dig {DOMAIN} {TYPE}

You can specify record types with the “nslookup” command by setting the type target, using this syntax:

nslookup
> set type={TYPE}

List of DNS record types:

  • A = Address mapping (name -> IPv4)
  • AAAA = Address mapping (name -> IPv6)
  • CNAME = Canonical Name (alias)
  • DNAME = Subtree lookup
  • MX = Mail server
  • NS = Name server (DNS resolution)
  • SOA = Start of Authority (top level domain information)
  • SRV = Generic service record (e.g. instead of MX)
  • TXT = Generic text record (e.g. SPF, DKIM, DMARC, etc)
  • HINFO = Host information (CPU, OS, etc.), but not commonly available
  • CAA = CA Authorization (CAs for a domain)
  • IPSECKEY = An IPSec key J
  • PTR = Address mapping (reverse lookups)
  • DNSSIG = DNSSEC signature
  • NSEC/NSEC3 = DNSSEC Non-existence

Zone Transfers

Using dig:

dig axfr @{DNS_SERVER} {DOMAIN}

Using nslookup:

nslookup
> server {DNS_SERVER}
> set type=any
> ls -d {DOMAIN}

Mail Service Enumeration

Using dig:

dig {DOMAIN} MX
dig {DOMAIN} TXT

Using nslookup:

nslookup
> set type=MX
> {DOMAIN}
> set type=TXT
> {DOMAIN}

Points of Contact

Using dig:

dig {DOMAIN} SOA

Using nslookup:

nslookup
> set type=SOA
> {DOMAIN}

Subnet Enumeration

Using nmap:

#simple#
nmap --script dns-brute {DOMAIN}
#more advanced#
nmap --script dns-brute --script-args dns-brute.domain={DOMAIN},dns-brute.threads={#},dns-brute.hostlist={FILE}

Using dnsrecon:

dnsrecon -d {DOMAIN} -D {FILE} -f -t std

Using theharvester:

theharvester -d {DOMAIN} -b all -n -c -t

Please see the full training for additional information on assessing security postures and third party service providers.  Good hunting!