Course Overview

/

DNS zone transfer

DNS zone transfer

5. DNS zone transfer



DNS (Domain NameSystem) TPC/53, UDP/53, isa fundamental component of the internet that translateshuman-readable domain names (such as example.com) into IP addresses(such as 192.168.0.1) that computers use to communicate with eachother. Think of it as the phonebook of the internet, convertingeasily remembered domain names into machine-readable IP addresses.

Whenyou enter a website URL into your browser, the browser needs to findthe IP address associated with that domain name to establish aconnection. Here's a simplified overview of how DNS works:

  • A user enters "google.com" into the address bar of their browser and hits Enter.
  • The browser needs to find the IP address of "google.com" to establish a connection. It sends a DNS query to the configured DNS server (This may be assigned by your ISP or may be one you have manually set).
  • The DNS Server receives the DNS query and checks its cache for a matching IP address for "google.com". If the information is available, the server sends back the IP address, if the information is not available in the cache, the server initiates the DNS resolution process.
  • The server sends a query to one of the root DNS servers, asking for the IP address of the top-level domain (TLD) server responsible for ".com".
  • The root DNS server responds to the server with the IP address of the TLD server responsible for ".com".
  • The server then sends a query to the TLD server for "google.com", asking for the IP address of the authoritative name server responsible for "google.com".
  • The TLD server responds to the server with the IP address of the authoritative name server responsible for "google.com".
  • The server then sends a query to the authoritative name server for "google.com", asking for the IP address of "google.com".
  • The authoritative name server responds to the server with the IP address of "google.com"
  • The DNS server sends the IP address of "google.com" back to the user's browser.
  • The browser receives the IP address and initiates a connection to the IP address using the HTTP/HTTPS protocol



To hold data suchas IP addresses, name servers, etc.  DNS uses “records” there aremultiple different records that each have a type:

  • A (Address) Record: Maps a domain name to an IPv4 address.
  • AAAA (IPv6 Address) Record: Maps a domain name to an IPv6 address.
  • CNAME (Canonical Name) Record: Provides an alias or canonical name for a domain. It redirects one domain name to another.
  • MX (Mail Exchanger) Record: Specifies the mail servers responsible for receiving email messages sent to a specific domain.
  • NS (Name Server) Record: Indicates the authoritative name servers for a domain. It identifies the servers that hold the authoritative DNS records for the domain.
  • SOA (Start of Authority) Record: Provides essential information about the DNS zone, including the primary (master) name server, contact email address, and other parameters.
  • TXT (Text) Record: Stores arbitrary text-based information associated with a domain. It is used for domain verification, SPF (Sender Policy Framework) configuration, and other custom applications.
  • SRV (Service) Record: Defines the location of specific services within a domain. It is commonly used for protocols like SIP (Session Initiation Protocol) and XMPP (Extensible Messaging and Presence Protocol).
  • PTR (Pointer) Record: Performs reverse DNS lookups. It maps an IP address to a domain name, used for reverse DNS resolution.
  • SPF (Sender Policy Framework) Record: Specifies the authorized mail servers for sending email on behalf of a domain. It helps prevent email spoofing and improves email deliverability.
  • DKIM (DomainKeys Identified Mail) Record: Provides a digital signature for email messages sent from a domain, helping verify the authenticity of the message and prevent email forgery.





This processtakes place at incredible speeds so that the user doesn’t see anydelay.  The key words you may not be familiar with are:

  • Root DNS Servers: The highest level of DNS servers in the hierarchical DNS system. They maintain information about top-level domains (TLDs) and help direct DNS queries to the appropriate authoritative name servers.
  • TLD (Top-Level Domain): The highest level in the domain name system hierarchy, represented by domain extensions such as .com, .org, .net, etc.
  • Authoritative Name Server: A DNS server that holds the official DNS records for a particular domain. It provides responses to DNS queries for that domain.



When working withDNS we need to be aware of DNS zones.  Zones representsa logical boundary for a specific domain or a group of relateddomains. Within a DNS zone, the authoritative name servers store andmanage the DNS records for the associated domain(s).

ADNS zone typically corresponds to a specific domain name, such as"example.com" The zone contains the DNS records that definethe mapping between domain names and their corresponding IP addressesor other resource records.

ADNS zone is primarily managed by the authoritative name serversdesignated for that zone. These authoritative name servers hold theauthoritative copies of the zone's DNS records and respond to DNSqueries for that zone. They can be primary (master) or secondary(slave) servers, depending on whether they are responsible for theoriginal zone data or are replicas of the primary server.

Ifit is possible to trigger a DNS zone transfer it is possible toobtain a full copy of all the information the DNS server has about adomain.  This can help identify other machines that may be ofinterest.  The most common tools to attempt a zone transfer with areDig and Host

Dig

Dig@<name server> <domain> axfr

Itis important to take note of the syntax:

  • @<name sever> specifies the IP address of the server running DNS
  • <domain> represents the domain that you want to attempt the zone transfer
  • Axfr is the query type used for a zone transfer



Host

Host-t axfr <domain> <name server>

Thereis slightly different syntax here in comparison to Dig:

  • -t axfr request the type of DNS query, an axfr query is used for a zone transfer
  • <domain> represents the domain that you want to attempt the zone transfer
  • <name sever> specifies the IP address of the server running DNS (note the lack of an @ symbol)



Should a zonetransfer be successful there will be output like the following



This output showsall the information a nameserver had about the CTRL.local domain.  Itis possible to identify the following:

  • primary name server using the SOA record
  • IP addresses of multiple devices using the A records
  • The name servers for the domain using the NS records
  • Services running on the DC01 device using the SRV records