🛡️ Methodology Checklist
- Banner grab and version:
nmap -p 53 --script dns-nsid [TARGET] - Zone transfer attempt:
dig axfr [DOMAIN] @[TARGET] - ANY record:
dig ANY [DOMAIN] @[TARGET] - Subdomain brute-force via target:
fierce -dns [DOMAIN] --dns-servers [TARGET] - DNS cache snooping:
dig @[TARGET] [DOMAIN] A +norecurse - Check for CVE-2020-1350 (SIGRed) if Windows DNS
- dnscmd injection (if DnsAdmins): see AD_Privileged_Access
🎯 Operational Context
Use when: DNS service is exposed — attempt zone transfers, cache poisoning, subdomain enumeration, and DNS amplification misconfiguration checks.
Think Dumber First: Try zone transfer first — it takes 5 seconds and some admins forget to restrict AXFR. dig axfr @[NAMESERVER] [DOMAIN] — if it works you get the entire zone file.
Skip when: DNS is only visible internally and you already have internal access with a better pivot.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -p53 -Pn -sV -sC [TARGET_IP] | DNS service version scan |
dig AXFR @[NAMESERVER_IP] [DOMAIN] | Attempt zone transfer for full DNS dump |
dig axfr @[TARGET_IP] hr.[DOMAIN] | Zone transfer against specific subdomain zone |
fierce --domain [DOMAIN] | Automated zone transfer + subdomain enumeration |
./subfinder -d [DOMAIN] -v | Public subdomain enumeration (OSINT sources) |
./subbrute.py [DOMAIN] -s names.txt -r resolvers.txt | Internal subdomain brute-force with custom resolver |
echo "[NS_IP]" > resolvers.txt | Create resolver file for subbrute |
host [SUBDOMAIN] | Check CNAME — identify dangling record |
dig [SUBDOMAIN] CNAME | Check CNAME record for subdomain |
🔬 Deep Dive & Workflow
Ettercap DNS spoof (local MITM):
- Edit
/etc/ettercap/etter.dns→ addinlanefreight.com A [LHOST] - Ettercap → Hosts → Scan for Hosts
- Add victim → Target 1, gateway → Target 2
- Plugins → Manage Plugins → activate
dns_spoof
DNS Zone Transfer (AXFR) — Unauthenticated DB Dump
A misconfigured DNS server with no IP-based filtering allows any host to pull its entire zone database:
dig AXFR @ns1.inlanefreight.htb inlanefreight.htbOutput reveals all A/CNAME/MX/TXT records — internal hostnames, mail servers, staging environments.
Recursive zone transfer trick: The root domain may block AXFR but a subdomain zone may not. Enumerate subdomains first, then attempt AXFR on each:
dig axfr @[TARGET_IP] hr.inlanefreight.htb
dig axfr @[TARGET_IP] dev.inlanefreight.htbSubdomain Enumeration Strategy
| Context | Tool | Method |
|---|---|---|
| External OSINT | subfinder | Scrapes DNSDumpster, VirusTotal, crt.sh |
| Internal pivot (no internet) | subbrute.py | Wordlist against internal nameserver |
| Automated + zone transfer | fierce | Combines both |
For subbrute on an internal network:
echo "ns1.inlanefreight.com" > resolvers.txt
./subbrute.py inlanefreight.com -s names.txt -r resolvers.txtSubdomain Takeover
When a subdomain CNAME points to a third-party service (AWS S3, GitHub Pages, Heroku) that no longer exists, an attacker can register that resource and take control of the subdomain.
Detection:
host support.inlanefreight.com
# → support.inlanefreight.com is an alias for inlanefreight.s3.amazonaws.comVisit the URL. If it returns NoSuchBucket, 404 Not Found, or NoSuchKey, it may be claimable.
Impact: Victims see attacker content on an “official” domain — enables phishing, cookie theft, CSRF, CSP bypass.
Reference: can-i-take-over-xyz GitHub repo for service-specific takeover verification steps.
Mitigation: Remove DNS records immediately upon canceling any third-party service. Audit CNAMEs regularly.
DNS Spoofing (Local MITM)
On a network where you can ARP poison (same subnet), Ettercap’s dns_spoof plugin intercepts DNS queries and returns attacker-controlled IPs:
/etc/ettercap/etter.dns:
inlanefreight.com A [LHOST]
*.inlanefreight.com A [LHOST]
This redirects all DNS resolutions for the domain to your machine — useful for credential capture or serving malicious content.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Zone transfer returns ‘Transfer failed’ | AXFR restricted to specific IPs | Try secondary nameserver; check if any NS accepts AXFR: dig NS [DOMAIN] then test each |
| dnsenum/dnsrecon returns no additional records | Zone transfer blocked | Fall back to subdomain brute: gobuster dns -d [DOMAIN] -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt |
| dig returns SERVFAIL | DNS server not authoritative | Query authoritative NS directly: dig axfr @[AUTH_NS] [DOMAIN] (get auth NS from dig NS [DOMAIN]) |
| DNS rebinding attack not viable | Target not a browser-based app | DNS rebinding requires browser interaction; use for web app testing only |
| Fierce scan too slow | DNS brute taking too long | Use massdns for high-speed resolution: massdns -r resolvers.txt -t A -o S wordlist.txt |
📝 Reporting Trigger
Finding Title: DNS Zone Transfer Permitted — Full Zone Data Exposed Impact: Successful AXFR zone transfer exposes all internal hostnames, IP addresses, and mail server configurations, providing complete network topology for targeted exploitation without any active scanning. Root Cause: DNS server configured to allow unrestricted AXFR queries from any source IP. Zone transfer not restricted to secondary nameservers. Recommendation: Restrict AXFR to authorized secondary nameserver IPs via ACL. Audit all authoritative nameservers for transfer restrictions. Implement DNS monitoring to alert on zone transfer attempts.