0

I know all baseline steps to do DNS enumeration over a domain. But my questions is: how can I enumerate a server when I do not know which domain it is managing and I only have its IP address? My scenario: I discovered 2 DNS servers running in a scope during an enumeration exercise. These hosts were not supposed to be there. I know their IP s, I know that they are listening DNS sockets, but I cannot get more details. Tried to dig over the IP s, but nothing useful came back. Is there any way to discover what's the domainname running on these IP s? Is there any way to do DNS Enumeration (queries, registries, zone transfer and so on) over a IP address without knowing exactly which domain name is in place? Regards.

Mr John
  • 1
  • 1
  • Are you inside a local network? Then you could sniff network traffic using Wireshark (or tshark) and filter for port 53 and server IP addresses. Those servers are probably servicing clients and the captured DNS requests may offer some clues. I assume you also tested for PTR records. – Kate May 07 '22 at 19:35
  • Hello there. Yes, I tried to sniff but nothing was captured. And I did also check for PTR records. Nothing either. That's why I was trying to see other options to enumerate it. Thanks. @Kate – Mr John May 13 '22 at 20:25

1 Answers1

1

how can I enumerate a server when I do not know which domain it is managing and I only have its IP address?

(I am reading your question as: "I have the IP address of a nameserver replying on port 53 and I want to find out for which zones this nameserver is authoritative"; of course we consider having verified already if this is not just a recursive nameserver).

There is nothing like that baked in the DNS protocol. You can use some heuristics by doing a reverse query on the IP, searching for the IP blocks and the relevant organizations owning it, or use other external database of "domain to nameservers" maps to use them in reverse to get a list of domains for a given nameserver.

You may get some hints also based on whatever "invalid" queries you send to the nameserver, especially if it is doing referrals, and to look at various names in the SOA and/or NS records being returned.

Also you could have completely out of the protocol attempts, for example checking if you can access rndc default port at 953 and if the server is bind, you could get access to the control plane. Similarly for other nameservers (you can more or less fingerprint nameservers software remotely by either their reply for a specific query in CHaos class or with some fine study on their answers).

A recent feature addition in multiple nameservers software is something called "catalog zones". A catalog zone is a normal DNS zone (hence you can theoretically query for it, and even do AXFR queries, depending of course on the server configuration for access), except that its content is used to configure the nameservers and hence contains among other things the list of zones for which this server is authoritative.

Now the problem is that this zone can in fact have any name itself, and if you can not do an AXFR finding the appropriate records to extract the real zone names will be difficult as they are based off an unique identifier which is opaque and hence the following example content in a catalog zone:

ddb8c2c4b7c59a9a3344cc034ccb8637f89ff997.zones IN PTR zone1.example.com.
12b1bb2a76ba242857318440f4fc9f7d35e9c4ed.zones IN PTR zone2.example.com.
Patrick Mevzek
  • 1,748
  • 2
  • 10
  • 23
  • Thanks. A very complete overview. So, regarding the protocol itself there is nothing to do to query this server? Your assumption is right by the way, I have only the IP Address, and I would like to know which domain zones this server holds. – Mr John May 05 '22 at 23:23