Skip to content

DNS

DNS is the phonebook of the internet
It translates human-readable domain names to IP addresses and runs on port 53 using both UDP (queries) and TCP (zone transfers) with a hierarchical system of resolvers , root servers , TLD servers , and authoritative nameservers

How DNS Resolution Works

Client -> Local Resolver -> Root Server -> TLD Server -> Authoritative -> Response

Each step is a cacheable lookup. If your local resolver already knows the answer it skips upstream servers entirely

DNS Record Types

  • A - IPv4 address mapping (example.com -> 1.2.3.4)
  • AAAA - IPv6 address mapping
  • MX - Mail exchange server (prioritized)
  • CNAME - Alias (www -> example.com)
  • TXT - Arbitrary text (SPF records, DKIM, verification codes)
  • NS - Nameserver delegation
  • SOA - Start of Authority (zone metadata)
  • SRV - Service locations
  • PTR - Reverse lookup (IP -> hostname)

DNS Security

DNS Spoofing / Cache Poisoning Injecting fake DNS records into resolver cache Redirects legitimate traffic to attacker-controlled hosts Mitigation: DNSSEC (signed DNS records)

DNS Tunneling Encapsulating non-DNS traffic in DNS queries Effective because DNS is often allowed through firewalls Common for C2 communication and data exfiltration

DNS Enumeration

# Basic lookup
dig example.com A
dig example.com MX
dig example.com ANY

# Zone transfer (rarely works but worth trying)
dig @ns1.example.com example.com AXFR

# Brute force subdomains
for sub in $(cat subdomains.txt); do
  host $sub.example.com | grep "has address"
done

# Reverse DNS lookup
dig -x 8.8.8.8

# Check which DNS servers
dig example.com NS

# DNSSEC validation
dig example.com DNSKEY

Common DNS Attacks

  • NXDOMAIN Attack - Flood with nonexistent domains to fill resolver with negative cache entries
  • Phantom Domain Attack - Point queries to slow nameservers causing resolver resource exhaustion
  • Random Subdomain Attack - Thousands of unique subdomains to resolver exhausting upstream resources
  • DNS Amplification - Small queries generate large responses (DNS reflection DDoS)

Key Ports

53/UDP    # Standard DNS queries
53/TCP    # Zone transfers , jumbo responses
853/TCP   # DNS over TLS (DoT)
443/TCP   # DNS over HTTPS (DoH)

DoH and DoT encrypt DNS queries preventing your ISP or network observers from seeing what domains you resolve. Attackers also use DoH to hide C2 traffic