Infiltration artifact series DNS information query

Never put off what you can do today until tomorrow
Today’s event today

I haven’t written an article for a long time. I have been busy changing jobs, doing things, and having a lot of troubles. I have to sort out a DNS information query and other tools. DNS queries are often encountered in infiltration or operation and maintenance. In particular, companies with DNS servers inside need to periodically monitor whether DNS resolution is normal and whether they are hijacked by DNS. Therefore, it is especially important to learn some tools to quickly query and detect the status of the DNS server. This article introduces several common DNS information query tools.

nslookup

Nslookup is a tool used to monitor whether a DNS server on the network can implement domain name resolution. In short, it can obtain the ip corresponding to the domain name. The difference with ping is that nslookup returns more results, and mainly collects information about dns server for troubleshooting of dns server. (In fact, the ping process also requests the dns record, and then sends icmp packets to ip)

Usage

Non-interactive (enter the query directly in the shell):

Query the ip corresponding to the thief.one domain name, which specifies the query to the 114.114.114.114-dns server.

1
nslookup thief.one 114.114.114.114


Check the thief.one domain name DNS service provider.

1
nslookup -type=ns thief.one


Check out the thief.one mail server.

1
nslookup -type=mx thief.one

Interactive (first enter nslookup, then enter the command):
1
2
nslookup
>

Enter the interactive interface and enter the query command

1
2
3
4
5
6
>set type=a #Set the dns resolution type to be queried
>thief.one #Enter the domain name to be queried
>set type=mx #Set the dns resolution type to be queried
>thief.one
>server 114.114.114.114 #Set the dns server address to be queried
The >ls thief.one #ls command lists all domain names in a domain

Type type that can be changed:

1
2
3
4
5
6
7
8
9
10
11
-A #A record
-Aaa
-CNAME #CNAME record
Product
-MB
-MG
-MR
-MX #email exchange record, record the IP address corresponding to an email domain name
-NS #domain server record, record which domain name server is resolved by the domain name server
-PTR #reverse record, ie a record from IP address to domain name
-TXT # Record the relevant text information of the domain name

host

Similar to nslookup, it is also the dns information corresponding to the query domain name.

Usage

1
host -t A thief.one

Parameters

  • -a: Display detailed DNS information;
  • -c: specifies the query type, the default value is “IN”;
  • -C: Query the complete SOA record of the specified host;
  • -r: Do not use recursive query mode when querying domain name;
  • -t: specifies the type of domain name information to be queried;
  • -v: displays detailed information about the execution of the instruction;
  • -w: If the domain name server does not give a response message, it will always wait until the domain name server gives a response;
  • -W
  • -4: Use IPv4; host
  • -6: Use IPv6.

you

Usage

1
2
3
4
5
you thief.one mx
you thief.one ns
Dig @202.106.0.20 thief.one a Specify dns server
Dig thief.one a +tcp is set to tcp protocol, the default is udp
Dig thief.one a +trace This parameter will show the process of querying from the root domain step by step.

If the DNS server of http://thief.one is 10.0.0.1 and there is a domain transfer vulnerability, use dig @10.0.0.1 http://thief.one axfr to view all domain names.

Parameters

  • @: specifies the domain name server for domain name resolution;
  • -b: When the host has multiple IP addresses, specify which IP address of the machine to use to send a domain name query request to the domain name server;
  • -f: Specifies that dig runs in batch mode, and the specified file contains DNS task information that requires batch processing.
  • -P: Specify the port number used by the domain name server;
  • -t: specifies the type of DNS data to be queried;
  • -x: Perform reverse domain name query;
  • -4: Use IPv4;
  • -6: Use IPv6;
  • -h: Displays instruction help information.

whois

Whois is used to query domain name related information, such as registrant information, email, domain name provider, ip information and so on.

Usage

1
whois -p port thief.one

More usage can be viewed using man whois.

Portal

[[Infiltration Artifact Series] Metasploit] (http://thief.one/2017/08/01/1/)
[[Infiltration artifact series] nc] (http://thief.one/2017/04/10/1/)
[Infiltration artifact series] nmap
[[Infiltration Artifact Series] Fiddler] (http://thief.one/2017/04/27/1)
[Infiltration Artifact Series] Search Engine
[[Infiltration Artifact Series] WireShark] (http://thief.one/2017/02/09/WireShark%E8%BF%87%E6%BB%A4%E8%A7%84%E5%88%99/)

There are many websites for DNS information online query. You can refer to the following: [SecWeb Secure Navigation] (https://thief.one/SecWeb) There are many similar articles on the Internet. You can go all the way to search. Here are just some common ones. The tools will continue to be added if there is a good one.

本文标题:Infiltration artifact series DNS information query

文章作者:nmask

发布时间:2017年07月12日 - 16:07

最后更新:2019年07月11日 - 17:07

原始链接:https://thief.one/2017/07/12/1/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: