Sat 05 April 2014
Here is a reminder for me and myself, that can be useful to every one (I hope as anything I write down here). It concerns some tools to retrieve DNS informations. Almost everything in this post is based on bind. Other post about DNS could be find here.
First of all, I should put a link the the dig manpage and a short example of its use:
dig +trace AAAA www.example.com
When requesting whoami.akamai.net, the answer depends on the host making the request (useful to detect DNS proxy). Try comparing multiple servers responses:
dig @188.8.131.52 A whoami.akami.net dig @184.108.40.206 A whoami.akami.net
of course, more complicated stuff is possible:
#!/bin/sh opt="+dnssec +trace" outfile0=out0.txt outfile1=out1.txt rm -v $outfile0 $outfile1 #clean up for rec in any a aaaa mx ns txt # fetch some records do dig $opt $rec $1 sleep 1 # we don't flood servers done > $outfile0 while read fqdn ttl class type addr do if [[$type=="A" -o $type=="AAAA"]] # check ptr for addresses fetch then dig -x $opt $addr >> $outfile1 sleep 1 # we don't flood servers fi done < $(grep -v -e '^;' -e '^.' $outfile0 | grep IN ) # remove comment line and root zone related RR, keep only line containing IN class RR # show all results cat $outfile0 $outfile1
Nevertheless, this tool seems to work based on transfer zone (AXFR) that should not be allowed. Thus it seems to fail quite easily.
nmap comes with some DNS options.
Not quite useful, but still fun.
I found another script there.