What is DNS Reconnaissance

What is DNS Reconnaissance
Reconnaissance is the search for freely available information to assist in an attack. DNS Reconnaissance is part of the information gather stage of hacking or penetration testing. Before the Ethical Hacker or Pen Tester perform the exploit, he attempts to obtain information regarding the DNS servers and the DNS records. This type of information gives him a better understanding of the organization's network infrastructure. This type of reconnaissance is usually unlikely to go recognized and the reason is that most of the organizations or companies do not monitor their DNS traffic. Those who do usually monitor the zone transfer attempts only.

DNS Reconnaissance Tools:

There are a bunch of tools available for free that can serve the purpose of reconnaissance allowing the hacker or pen tester to gather DNS information in an effective manner. Below are some of the tools used for DNS reconnaissance: 

  1. DNSRecon: this tool was developed in Python and was available in Backtrack OS originally, known as Kali Linux now.
  2. NMAP: another great tool that is available in Kali and available for download online from https://nmap.org
  3. Maltego: This tool is not free! Maltego is proprietary software used for open-source intelligence and forensics, developed by Paterva. It focuses on providing a library of transforms for the discovery of data from open sources and visualizing that information in a graph format, suitable for link analysis and data mining.
  4. DNSEnum: This tool is a multithreaded Perl script developed to enumerate DNS information of a domain and to discover non-contiguous IP blocks
  5. Fierce: is also another powerful tool that can automatically switch from DNS Zone Transfer to Brute-force, to Google scraping techniques.
you can also use online tools like DNSdumpster.com However, this tool has a limitation to 100 domains only.

DNS Reconnaissance Techniques:

  1. Perform DNS Zone Transfer: A significant info can be obtained by using this technique. However, this technique is unlikely to work today due to the security controls that organizations are implementing. It's always worth to give it a shot!
  2. Perform a DNS Brute Force: A name list file is provided to the tool. The tool will try to resolve the A, AAA and CNAME records against domain provided by trying each entry in the file.
  3. Perform a Reverse Lookup: The tool will perform a PTR Record lookup for a given IP range or CIDR.
  4. Cache Snooping: is useful when the DNS server has a DNS record cached. This DNS record will often reveal plenty of info. DNSRecon is one of the tools that support DNS Cache Snooping.
  5. Zone Walking: Uncovers internal records if the zone is not properly configured. The info obtained can help the pen tester or hacker to map network hosts by enumerating the contents of a zone.

Not all DNS reconnaissance tools support the techniques stated above. You might need to use more than one tool to obtain the optimum amount of information.