1. OSINT: DNS Module Type: Basic Method Module Number: 0x06
Last Updated:
Author: Hermit

2. Topics What is OSINT? What is DNS? What Can We Learn From DNS?
Zone Transfers
Mail Server Enumeration
Points of Contact
Subnets
Third Party Providers
Security Posture

3. What is OSINT? Open Source Intelligence = OSINT
Information from public sources
Often involves directly connecting to a target
Analysis of publicly available data

4. What is DNS? Domain Name System = DNS
Simple lookup mechanism for public records
Commonly, a human-memorable name to an IP address
Both generic (TXT) and specific (MX, A, NS, SOA) records
Both IPv4 (A) and IPv6 (AAAA) records
Hierarchical system in a tree structure

5. What Are DNS Record Types?
A = Address mapping (name -> IPv4)
AAAA = Address mapping (name -> IPv6)
CNAME = Canonical Name (alias)
DNAME = Subtree lookup
MX = Mail server
NS = Name server (DNS resolution)
SOA = Start of Authority (top level domain information)
SRV = Generic service record (e.g. instead of MX)
TXT = Generic text record (e.g. SPF, DKIM, DMARC, etc)
HINFO = Host information (CPU, OS, etc.), but not commonly available
CAA = CA Authorization (CAs for a domain)
IPSECKEY = An IPSec key 
PTR = Address mapping (reverse lookups)
DNSSIG = DNSSEC signature
NSEC/NSEC3 = DNSSEC Non-existence

6. What Can We Learn From DNS?
Internal server names
Security Posture
Deployed Services
Points of Contact
Third Party Service Providers
Tools Present
Infrastructure Maturity
Infrastructure layout (IP addresses, network schema, etc)
Mail servers

7. Zone Transfers
A zone transfer allows for replication of an entire DNS structure.
We like this because full replication lets us see ”hidden” names that may not typically be tried (e.g. X41KALCN081KS.HIDDENS.EXAMPLE.COM) but which are publicly resolvable.
Unfortunately for pentesters, it’s normally disable by default, and seldom found.

8. A Quick Note About dig
You might want to script things, or just avoid all the extra output each time you run a command.
The dig tool allows you to modify output using “+” commands.
For instance, adding “+noall” to the end of a command drops everything except global settings.
And adding “+answer” includes the DNS response.
Combine the two for cleaner output, e.g. “+noall +answer”
Those trailings have been left out of the following slides for brevity.

9. Zone Transfers: Try It! Using dig: Using nslookup:
dig {DOMAIN}
dig zonetransfer.me
Using nslookup:
nslookup
> server {DNS_SERVER}
> set type=any
> ls -d {DOMAIN}

10. Mail Service Enumeration: Try It!
Using dig:
dig {DOMAIN} MX
dig {DOMAIN} TXT
Using nslookup
nslookup
> set type=mx
> {DOMAIN}
> set type=txt

11. Points of Contact: Try It!
Using dig:
dig {DOMAIN} SOA
Using nslookup
nslookup
> set type=soa
> {DOMAIN}

12. Subnet Enumeration: Try It!
Using nmap:
nmap --script dns-brute {DOMAIN} nmap --script dns-brute --script-args dns-brute.domain={DOMAIN},\ dns-brute.threads={#},dns-brute.hostlist={FILE}
Using dnsrecon:
dnsrecon -d {DOMAIN} -D {FILE} -f -t std
dnsrecon -d {DOMAIN} -D /usr/share/wordlists/dirb/small.txt -f -t std
Using theharvester:
theharvester -d {DOMAIN} -b all -n -c -t

13. Third Party Providers/Services
Looking through results we’ll often see indicators of third parties, for example in MX records:
MS O365 has “mail.protection.outlook.com”
Symantec Security.Cloud has “cluster_.__.messagelabs.com”
Google App Suite has “aspmx._.google.com”
ProofPoint has “mx_-________.gslb.pphosted.com”
Or we’ll see indicators in TXT records:
Adobe: adobe-idp-site-verification
Or we’ll see indicators in CNAME records:
Look for resolutions to external network names
Look for non-standard IP address ranges

14. Security Posture
Just like third party providers, we can learn about security postures through DNS records, e.g.:
Look for TXT records that contain SPF/DKIM/DMARC records
Look for DNS brute-forcing that contains common tool names:
epo.{DOMAIN}
paloalto.{DOMAIN}
siem.{DOMAIN}
etc.
Look for IPSECKEY, DNSSIG, NSEC/NSEC3 records
Be creative!

15. Additional Resources DNS RFCs Hermit RFC 1035 RFC 1101 RFC 4025