Footprinting using DNS

- [Instructor] When conducting reconnaissance, using the Domain Name System will help map your target's network. In this segment, we'll review different techniques involved in DNS Footprinting. Domain Name System is an application layer protocol that converts a host name to an IP address and vice versa. DNS is made up of servers spread globally. The servers hold and manage records that provide an address for a host or specific type of resource. The DNS system is the largest distributed database in the world. When looking at the graphic, we see that the DNS hierarchy is in a tree-like structure. The hierarchy begins with the Root. And below, we see the top level domains, such as .com and .edu. And then the second level domains that include Google.com and MIT.edu. And, you might also see some subdomains. Now, within each domain there are several resource records that store name and IP address pairings. A couple that you might be familiar with are "Type A," which is an IPv4 address. A "quad A," which is an IPv6 address, and an MX record, which is a mail exchange. A normal query and response occurs when a client sends a query to a DNS server for an address. The server then responds with information. But, it can also ask other DNS servers for the information. Now when dealing with DNS, there are typically three types of servers. We have the primary server, which is the authoritative server for the zone. Now the primary server provides answers to your DNS queries, such as, "What is the mail exchange IP address" or "What is the website IP address." The secondary servers are backup DNS servers, and there are also caching servers. Caching servers hold cached records of normal back and forth query responses. The DNS system is essential. However, it can be vulnerable, as the records can expose your network layer. DNS has many threats which include exposure or compromise to the zone file and cache poisoning, which changes the DNS cache on the local name server to point to a bogus server. Now let's talk about some of the techniques involved in DNS Footprinting. A zone transfer is when a primary DNS server periodically passes a copy of the database, called a zone, to a secondary DNS server. During footprinting, the team might be able to trick the primary DNS server into providing this information, which will expose all records in the zone. There's also a reverse DNS lookup. Now, this involves retrieving the domain name associated with a given IP address. This can help uncover additional domains and the organizational details associated with a target organization. We might also try subdomain discovery. Now this will uncover subdomains within a primary domain. These subdomains might lead to different parts of an organization's infrastructure, which might be vulnerable or misconfigured. There's also cache snooping. Now this involves querying DNS cache records from non-authoritative DNS servers, which might expose other information about the internal structure and topology of an organization. Many times you're going to use footprinting tools, and there are plenty. Footprinting tools include SpiderFoot, DNSRecon, DNSEnum, or theHarvester. These tools can help speed up the process and display detailed information, and many are built right into Kali Linux. Now let's test your knowledge. Review the different techniques involved in DNS Footprinting. You can record your answer on the Challenge worksheet.