When we have one IP address, we may be able to use that IP address to acquire addi‐
tional IP addresses that belong to the target of our testing. To do this, though, we will
need to move a level up from DNS. From here, we’ll take a look at using the whois
program to get more details about our target.
Automating DNS recon
Using tools like
host
and
nslookup
will give us a lot of details, but getting those details
a piece at a time can be time-consuming. Instead of using manual tools one at a time,
we can use other programs that can get us blocks of information. One of the chal‐
lenges with using any of these tools is they often rely on the ability to do zone trans‐
fers. A
zone transfer
in DNS terms is just a download of all the records associated with
a zone. A
zone
in the context of a name server is a collection of related information.
In the case of the domain
oreilly.com
, it would probably be configured as a zone itself.
In that zone would be all of the records that belonged to
oreilly.com
, such as the web
server address, the email server, and other records.
Because initiating zone transfers can be effective ways to perform recon against a
company, they are not commonly allowed. One reason they exist is for backup servers
to request a zone transfer from the primary server in order to keep them synchron‐
ized. As a result, in most cases you won’t be able to get a zone transfer unless your
system has specifically been allowed to initiate a zone transfer and obtain that data.
Never fear, however. Although there are tools that expect to be able to do zone trans‐
fers, we can use other tools to get details about hosts. One of these is
dnsrecon
, which
will not only try zone transfers but will also test hosts from word lists. To use word
lists with
dnsrecon
, you provide a file filled with hostnames that would be prepended
to the domain name specified. There are easy ones like
www
,
mail
,
smtp
,
ftp
, and oth‐
ers that may be specific to services. However, the word list provided with
dnsrecon
has
over 1,900 names. Using this word list,
dnsrecon
can potentially turn up hosts that
you might not think would exist.
This all assumes that your target has these hosts in their externally available DNS
server. The great thing about DNS is it’s hierarchical but also essentially disconnected.
Therefore, organizations can use something called
split DNS
. This means systems
internal to the organization can be pointed at DNS servers that are authoritative for
the domain. This would include hosts that the company doesn’t want external parties
to know about. Because the root servers don’t know anything about these name
servers, there is no way for external users to look up these hosts without going
directly to the internal name servers, which would commonly not be reachable from
outside the organization.
Having said all of that, you should not be deterred from using
dnsrecon
. There is still
plenty of information to get. In
Example 3-12
, you can see partial results of running
dnsrecon
against a domain that I own that uses Google Apps for Business. In the out‐
