Information Gathering: The DNS Menu
Why do I want DNS information?
- Denial of Service: find your target’s DNS server and bring it down, or corrupt DNS records to make a site unavailable.
- Service Enumeration: find your target’s web, database, email etc. servers so you can target *them*.
- Find Internal DNS Information: explore organizations’ internal network using non-public DNS records.
- Document Subdomains: discover useful or hidden subdomains of your target domain.
- Explore Intermal IP Ranges: enumerate Class B or C non-routable IP subnets for interesting hosts and services.
- Find Embedded Devices: for instance, ferret out any available IP cameras. Useful, no?
How can I get it?
The classic method is requesting a zone transfer. Research this term if you’re not familiar with it.
Most DNS servers will not give you a zone transfer any more. But you should check as part of due diligence.
What information can I get from DNS records?
Those A and PTR and MX records are indeed quite informative. One might corrupt an address record, penetrate a mail server, or exploit a malformed pointer, for instance.