Skip to content

Latest commit

 

History

History
103 lines (69 loc) · 2.55 KB

File metadata and controls

103 lines (69 loc) · 2.55 KB

Lab 7 — WHOIS, DNS Recon and Zone Walking

Exam objective: 2.1 Information gathering — DNS lookups, reverse DNS; 2.2 Enumeration — DNS enumeration.

In this lab you will use whois, dig, dnsenum and dnsrecon to map a target's DNS footprint. Target: zonetransfer.me — a deliberately misconfigured domain run by DigiNinja that allows zone transfer, making it perfect for practice.


Step 1 — WHOIS

whois example.com | head -40

You'll see registrar, registration date, name servers, abuse contacts. Pentest value:

  • Name servers reveal hosting provider.
  • Registrant org sometimes leaks corporate identity.
  • Registration age hints at typosquat domains.

Step 2 — Basic DNS records with dig

dig zonetransfer.me A
dig zonetransfer.me MX
dig zonetransfer.me NS +short
dig zonetransfer.me TXT

Look for:

  • A / AAAA — hosting IP.
  • MX — mail servers (target for phishing infra).
  • TXT — SPF, DKIM, often leaks 3rd-party services (Salesforce, MailChimp, etc.).
  • NS — DNS providers.

Step 3 — Reverse DNS

dig -x 8.8.8.8 +short

Use this to confirm ownership of IP ranges from Step 2.


Step 4 — Zone transfer (AXFR)

dig axfr @nsztm1.digi.ninja zonetransfer.me

On a well-configured server this returns Transfer failed. On zonetransfer.me you get the entire zone — every host, every record. That's a critical misconfig you'd report immediately.


Step 5 — Automate with dnsenum

dnsenum zonetransfer.me

dnsenum chains: AXFR attempt → brute-force subdomain dictionary → reverse lookup of returned IPs → NetCraft search. Save output:

dnsenum --output zonetransfer.xml zonetransfer.me

Step 6 — dnsrecon modes

dnsrecon -d zonetransfer.me -t std        # SOA, NS, A, MX, SRV
dnsrecon -d zonetransfer.me -t axfr       # AXFR test
dnsrecon -d zonetransfer.me -t brt -D /usr/share/wordlists/dnsmap.txt   # brute force

Step 7 — Detecting DNSSEC and zone walking (NSEC)

dig zonetransfer.me +dnssec +short
dig DNSKEY zonetransfer.me +short

If the zone uses NSEC (not NSEC3), you can walk the entire zone with ldns-walk:

ldns-walk zonetransfer.me

Report finding: "Zone exposes all records via NSEC walking — switch to NSEC3 with salt and opt-out."


What you learned

  • How whois, dig, dnsenum and dnsrecon complement each other.
  • How to test for AXFR and NSEC walking.
  • Which DNS findings are reportable (open AXFR, NSEC, missing SPF/DMARC).