DNS Record Querying For Pentesting

DNS Records

A Record (Address Record): These records map a FQDN (fully qualified domain name) to an IP address. This is usually the most often used record type in any DNS system that maps domain names to IP addresses.

CNAME Record (Canonical Name Record): These are usually referred to as alias records since they usually map an alias to its canonical name. The name server does handle these queries differently from an A record. When a name server looks up a name and finds a CNAME record, it replaces the name with the canonical name and looks up the new name. This allows you to point multiple systems to one IP without specifically assigning an A record to each host name. If your IP was ever to change you would only have to change one A record.

How to get a CNAME:
  • Perform a zone transfer (AXFR) on the domain to retrieve all records for the domain. The DNS administrator needs to explicitly allow AXFR transfers to your IP address from your chosen DNS server. You can perform such a transfer like this: dig @ns1.google.com google.com AXFR
  • Directly view the zonefile on the relevant DNS server. You need administrator access to the DNS server for this.
SOA (Start of Authority in a Zone file): A SOA record is a Start of Authority. Every domain must have a Start of Authority record at the cutover point where the domain is delegated from its parent domain. For example if the domain mycompany.com is delegated to DNSimple, we must include a SOA record for the name mycompany.com in our authoritative DNS records. We add this record automatically for every domain that is added to DNSimple and we show this record to you as a System Record in your domain’s:

Example of SOA record:

$ dig SOA gmail.com
...[omitted]...
;; QUESTION SECTION:
;gmail.com. IN SOA

;; ANSWER SECTION:
gmail.com. 600 IN SOA ns1.google.com. dns-admin.google.com. 2012061200 21600 3600 1209600 300
...[omitted]...

DNS Record Configuration: @ IN SOA nameserver.place.dom. postmaster.place.dom. (
                               1            ; serial number
                               3600         ; refresh   [1h]
                               600          ; retry     [10m]
                               86400        ; expire    [1d]
                               3600 )       ; min TTL   [1h]

  1. The primary name server for the domain, which is ns1.google.com or the first name server in the vanity name server list for vanity name servers.
  2. The responsible party for the domain, which is dns-admin.google.com.
  3. A timestamp that changes whenever you update your domain.
  4. The number of seconds before the zone should be refreshed.
  5. The number of seconds before a failed refresh should be retried.
  6. The upper limit in seconds before a zone is considered no longer authoritative.
  7. The negative result TTL (for example, how long a resolver should consider a negative result for a subdomain to be valid before retrying).

NS record in a DNS Zone file: This record specifies the DNS server responsible for this domain.

MX records or Mail server entry in DNS: MX records define the mail servers for a domain.

TXT: Originally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, DMARC, DNS-SD, etc.

HINFO: Gives a description of the type of computer/OS a host uses.

Example of HINFO record:

$ dig +short hinfo zzz.damtp.cam.ac.uk
"PC" "Linux/x86"

: Pointer to a canonical name. Unlike a CNAME, DNS processing does NOT proceed, just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.

$ dig  -x 209.85.102.36
...[omitted]...
;; QUESTION SECTION:
;36.102.85.209.in-addr.arpa. IN PTR
;; ANSWER SECTION:
36.102.85.209.in-addr.arpa. 600 IN PTR serv01.siteground.com.
...[omitted]...

DNS Package Fields

IP: The IP address of your FQDN.

TTL: The TTL (Time to Live) is the amount of time your record will stay in cache on systems requesting your record (resolving name servers, browsers, etc.). The TTL is set in seconds, so 60 is one minute, 1800 is 30 minutes, etc..Systems that have a static IP should usually have a TTL of 1800 or higher. Systems that have a dynamic IP should usually have a TTL of 1800 of less.

Name: This will be the host for your domain which is actually a computer within your domain.

Reference:

  1. http://help.dnsmadeeasy.com/spry_menu/a-record/
  2. http://en.wikipedia.org/wiki/List_of_DNS_record_types