One of the most important reconnaissance methods for learning about the target’s DNS infrastructure is DNS (Domain Name System) footprinting, which clarifies the network topology and identifies any weaknesses.
DNS footprinting
DNS functions similarly to the internet’s phone book. In order to communicate over the internet, it converts human-readable domain names (such as example.com) into IP addresses (such as 192.168.1.1). It entails gathering DNS-related information on a target domain or network, including DNS records, IP addresses, and subdomains. Potential attack vectors and important infrastructure details can be uncovered with the use of this knowledge.
Common objectives of DNS FootprintingÂ
- Recognizing hidden domains and subdomains
- DNS records retrieval -A, MX, NS, AXFR. [where A- addresses, MX- mail exchanger, NS- name server AXFR- Authoritative zone transfer]
- Identifying possible points of attack
- Knowing the IP address space of the target
How DNS Footprinting Works ?
This is an explanation of DNS footprinting in detail:
Step 1 – Gather Domain informationÂ
Begin by gathering the target domain’s basic information, including contact data, registrar details, and domain history. This initial stage gives information on who owns the domain and may reveal contact or admin information that can be used for social engineering.
Tools – Use dig/whois/nslookup for domain lookup
Command – dig testfire.net
Â
Command – whois testfire.netÂ
Command -nslookup testfire.net
What it does – Dig ,whois and nslookup commands give important information such as domain registration dates, expiration dates, and maybe admin contact information. This can identify administrative or technical contacts who might be at risk of social engineering or phishing scams.
Step 2: DNS Zone Transfers
Zone transfers enable synchronized data sharing between two DNS servers. A DNS server might permit an unwanted zone transfer as a result of configuration errors, exposing all of the DNS records for the domain, including A, MX, and TXT records.
Tool: Use dig/whois/nsloopup/akfr tool to attempt a zone transfer .
Command – dig AXFR [email protected]
What it does- These command attempts a zone transfer . If successful , then we can gain access to a valuable source of information such as subdomains, mail servers , internal DNS records and other sensitive data.
Step 3 : DNS Record Enumeration
DNS records include crucial information on the organization and structure of a domain’s services. IP addresses, mail servers, and nameservers can all be found by listing DNS entries.Different types of record is use to gather the information:
- A Record (Address Records): Domain names and IP addresses are mapped.
- MX Record (Mail Exchange Records):The mail servers listed in the MX Record (Mail Exchange Records) are susceptible to social engineering attempts.
- NSÂ (Name Server Records): Nameservers manage the domain’s DNS requests.
- TXT Record- These records may provide information about the domain’s policies as well as other pertinent details for email authentication.
              Â
Tools- To extract DNS records  Use nslookup/dig/host .
 Command – use dig testfire.net host commandÂ
What it does – This command requests every DNS record that is accessible for the domain.
Good to Read:-Â How to create Test Cases in JIRA Using Xray
Step 4: Reverse DNS Lookups
Reverse DNS lookup can help map IP addresses to their corresponding domain names .In reverse DNS lookups, an IP address and a domain name are matched using a PTR(Pointers) record. These records are configured under in-addr.arpa, a specific domain. A reverse DNS lookup will not function if there is no PTR record.
Tool- Use dnsrecon for reverse lookups
Command – dnsrecon -d cnn.com
What it does– The command can be used to map out the infrastructure of the target by revealing the domain linked to a certain IP address.
For reverse IP address use the command – dnsrecon -r [IP address ]. We use Range with IP address .
Step 5 : Brute force Subdomain Enumeration
Subdomain discovery is essential for DNS footprinting since it frequently exposes hidden or insecure services operating on the same network. Subdomains could be a component of internal services, staging servers, or development environments.
Tool – first install the tool in kali linux with this command
sudo apt install sublist3r
Command – sublist3r -d testfire.net
What it does- This tool finds subdomains linked to a domain by using wordlists and DNS information. More vulnerabilities may be found if hidden subdomains are located.
Conclusion
In the reconnaissance stage of ethical hacking, DNS footprinting is an essential step. By mapping out a target’s DNS architecture, we can obtain important information that could help to find vulnerabilities.
