I was ah Feng, learning a slag efforts, just as a security door into the white, I hope that what they have learned summed up, to share the blog, you can progress together, exchange, learn together.
Preface:
Dns domain transfer Vulnerability
DNS is a distributed network directory services, mostly to translate between domain names and IP addresses, as well as control of the Internet to send e-mail. It acts as a distributed database of domain names and IP addresses will be mapped each other, it can make it easier to access the Internet. DNS uses TCP and UDP port 53.
Disclosure
exposure subdomain / list of assets
exposed to the internal network IP
DNS server is divided into the main server, backup server, the cache server. Backup Server need to use "domain transmission" copy data from the primary server, and then updates its own database to achieve data synchronization, so in order to add redundancy in case the primary server also hung against the backup server. And "domain transfer" dns vulnerability is due to improper configuration, only the backup server would have access to the data of the primary server, any client can lead to vulnerability due by the data (zone database information) "domain transfer" for the primary server. In this way, an attacker can get all records for a domain, or even the entire network topology are exposed.
1. A记录:域名->IP
1.1 泛解析:*.lsawebtest.top都能指向同一个IP
2. cname(别名)记录:多个名字映射到同一台计算机,如www和mail这两个别名都指向lsawebtest.top,分别提供www和mail服务。
3. NS记录:指定由哪个DNS服务器解析你的域名,如lsawebtest.top/ns2.lsawebtest.top
4. MX记录:将以该域名为结尾的电子邮件指向对应的邮件服务器以进行处理,如@lsawebtest.top结尾的邮件发到MX记录的邮件服务器上,权重小的优先。
5. TXT记录:域名的说明,可用于SPF(它向收信者表明,哪些邮件服务器是经过某个域名认可会发送邮件)和域名所有权验证。
6. AAAA记录:指向IPv6。
First enter the directory
cd /vulhub/dns/dns-zone-transfer
If you suggesting problem, plus root
cd /root/vulhub/dns/dns-zone-transfer
On the shooting range to compile: docker-compose build
Run Range: docker-compose up -d
If you are prompted question, take a look docker container started no, docker-compose built not, you need a good check
for example, the official website address
we can dig @your-ip www.vulhub.orgget the domain name www.vulhub.orgto find the dns server A record
axfr transmission request type dns: dig @your-ip -t axfr vulhub.org
axfr refers to a transmission request of all recording areas. As long as we deceive dns server sends a request axfr the past, if the vulnerability exists on the dns server, it will return all the parsing record values
Finally, do not forget to close the loopholes in the environment
docker-compose down
Reference:
https://www.lsablog.com/networksec/awd/dns-zone-transfer/
https://vulhub.org/#/environments/dns/dns-zone-transfer/
HTTPS: //www.jianshu .com / p / d2af08e6f8fb
