[Discuss] DNS question about DNSENUM.PL
Jerry Feldman
gaf at blu.org
Tue Mar 26 10:53:14 EDT 2013
For your local hostnames, you would need to set up a DNS server inside
of your VPN so those host names are only visible after someone has
established the VPN. While we do not do a VPN for BLU.org, we do have
separate zone files for each host.
On 03/26/2013 10:21 AM, Chris O'Connell wrote:
> Tom,
>
> Thanks for taking the time to explain all of that. What I've found is that
> most of the address I can find are A, MX . As a result, when I run a
> DNSENUM against my domain externally most A records that point to our IP
> addresses. Obviously I would like to hide these (especially ones like
> remote.blah.org and vpn.blah.org).
>
> The explanation about the file system is making sense... you can view the
> file if you can guess the name. My next question is, what's the mechanism
> that allows me to view the file if I guess the name? Followed by how do I
> control it? Is this tied by binding an internal DNS server on our local
> domain to the external DNS server?
>
> Thanks again everyone.
>
> Chris
>
>
> On Mon, Mar 25, 2013 at 6:24 PM, Tom Metro <tmetro+blu at gmail.com> wrote:
>
>> Chris O'Connell wrote:
>>> I've been using DNSENUM.PL via BackTrack to do some information
>> gathering
>>> on my work's network.
>> Never heard of it, but looks like Dnsenum is documented here:
>> http://code.google.com/p/dnsenum/
>> The purpose of Dnsenum is to gather as much information as possible
>> about a domain. The program currently performs the following
>> operations:
>>
>> 1) Get the host's addresse (A record).
>> 2) Get the namservers.
>> 3) Get the MX record.
>> 4) Perform axfr queries on nameservers and get BIND versions...
>> 5) Get extra names and subdomains via google scraping
>> (google query = "allinurl: -www site:domain").
>> 6) Brute force subdomains from file, can also perform recursion on
>> subdomain that have NS records.
>> 7) Calculate C class domain network ranges and perform whois queries
>> on them.
>> 8) Perform reverse lookups on netranges...
>> 9) Write to domain_ips.txt file ip-blocks.
>>
>>
>>> So, not all of my DNS sub domains show up in a simple scan.
>> (Lets set aside the "subdomain" terminology discussion. In my experience
>> the term is often used even for domains that aren't delegated, which is
>> likely a misuse of the term.)
>>
>> My guess would be that Dnsenum is getting its initial list by looking at
>> names returned as a side effect of other queries. While zone transfers
>> used to be readily accessible, as Rich said they've been largely
>> disabled for security reasons (and at one time to avoid security holes
>> in BIND). However, that restriction might be IP sensitive, and you might
>> be allowed to do a zone transfer from your own LAN's IP range. You can
>> try playing around with a tool like 'dig' to explore this further yourself.
>>
>> DNS is like a file system directory where you don't have permission to
>> list the directory contents, but if you know the file name you can
>> access the file contents. I'm assuming their brute force option simply
>> goes through a list of common names, looking to see if each exists.
>>
>> But as implied by items #1 through #3 above, DNS intentionally reveals
>> some information in order to make it useful.
>>
>> Disabling zone transfers is an attempts to hide the particulars within a
>> zone, but it is imperfect at best, as this information often leaks out
>> through other means (mail headers, for example). One possibility is to
>> scan through the range of IP addresses used by your target and do
>> reverse (PTR) queries on each IP (#8 above). Of course lots of DNS
>> entries lack corresponding PTR records, so that may not turn up much.
>>
>> The source for Dnsenum can be viewed here:
>> http://code.google.com/p/dnsenum/source/browse/trunk/dnsenum.pl?r=2
>>
>> and it looks like if you run it in verbose mode it'll tell you a bit
>> more about what queries it is performing.
>>
>> The best way to answer this question would be to obtain your zone file
>> from whoever maintains your DNS and look at how the records vary between
>> the ones that Dnsenum finds and the ones it can't.
>>
>> -Tom
>>
>> --
>> Tom Metro
>> Venture Logic, Newton, MA, USA
>> "Enterprise solutions through open source."
>> Professional Profile: http://tmetro.venturelogic.com/
>>
>
>
--
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90
More information about the Discuss
mailing list