Post

DNS Foundations & Safe Footprinting

Posted
By Fábio Ferreira
4 min read
DNS Foundations & Safe Footprinting

Why DNS Matters

DNS is the Internet’s naming and discovery layer. It converts human‑friendly names into IP addresses and service metadata so clients can locate web apps, mail servers, and other infrastructure. DNS has no central database, it is distributed across thousands of name servers and works like a globally replicated “phone book.”

Core DNS Server Roles

  • Root servers: The final referral point for top‑level domains (TLDs).
  • Authoritative name servers: Hold authority for a zone and provide binding answers.
  • Non‑authoritative name servers: Collect information through recursive or iterative queries.
  • Caching servers: Store responses for a defined TTL to speed up future lookups.
  • Forwarding servers: Forward DNS queries to another resolver.
  • Resolvers: Perform name resolution locally (on the client or router).

How Resolution Works (High‑Level)

  1. A client or local resolver asks for a name.
  2. If the response is cached, it is returned immediately.
  3. Otherwise, the resolver queries root and authoritative servers iteratively.
  4. The authoritative server returns the record set or a negative response.
  5. The resolver caches the result based on TTL and replies to the client.

Common DNS Record Types

Record Purpose
A Maps a name to an IPv4 address
AAAA Maps a name to an IPv6 address
MX Lists mail servers for a domain
NS Identifies authoritative name servers
TXT Stores text data (SPF, verification, policy hints)
CNAME Alias to another hostname
PTR Reverse lookup (IP → name)
SOA Start of Authority for a zone
SRV Service discovery for specific protocols (host + port)

The SOA record defines the zone’s authority and timing parameters (refresh, retry, expire, minimum TTL). It also includes the administrative contact (email format with dots replaced by an at sign).

TTLs, Caching, and Negative Answers

DNS performance depends on caching. Each record includes a TTL (time‑to‑live) that controls how long a resolver may store it. Short TTLs improve change agility but increase query load. Long TTLs reduce load but slow propagation. Negative responses (like NXDOMAIN) are cached using SOA timing values.

Configuration and Zone Files

DNS servers typically rely on three configuration types:

  1. Local DNS configuration files
  2. Zone files
  3. Reverse lookup files

On Linux, Bind9 is common. Its main configuration file (named.conf) is split into global and zone‑specific options, often organized as:

  • named.conf.local
  • named.conf.options
  • named.conf.log

Zone Files

Zone files describe a DNS zone using the BIND format. A valid zone file includes exactly one SOA record and at least one NS record. Syntax errors can invalidate the entire zone and lead to SERVFAIL responses.

Zones are typically:

  • Forward zones (name → IP)
  • Reverse zones (IP → name via PTR)

The SOA serial number ensures synchronization between primary and secondary servers.

Reverse DNS (PTR)

Reverse lookups map IP addresses to hostnames using PTR records in the in‑addr.arpa (IPv4) or ip6.arpa (IPv6) namespace. Reverse DNS is essential for many mail systems and is a frequent source of inconsistency if forward and reverse zones are not synchronized.

Dangerous Settings to Watch

Misconfigurations often arise when administrators prioritize functionality over security. Common risky options include:

  • allow‑query: Overly broad queries expose internal information.
  • allow‑recursion: Open recursion can enable abuse and amplification.
  • allow‑transfer: Unrestricted zone transfers leak entire zone contents.
  • zone‑statistics: Exposes operational details on public interfaces.

These issues can disclose internal hostnames, IPs, and service topology.

Footprinting the Service (Safely)

Footprinting focuses on information a DNS server is willing to disclose. Typical, responsible checks include:

  • NS queries to identify known name servers
  • SOA queries for zone authority and timing values
  • ANY queries (where permitted) to review exposed records
  • AXFR zone transfers only if explicitly authorized

Some servers also respond to CHAOS TXT queries for version info (if enabled). When in scope, subdomain discovery can be done with curated wordlists and rate‑limited queries.

Common DNS Tools and Commands

DNS Command Description
dig ns <domain.tld> @<nameserver> NS request to the specific nameserver
dig any <domain.tld> @<nameserver> ANY request to the specific nameserver
dig axfr <domain.tld> @<nameserver> AXFR request to the specific nameserver
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld> Subdomain brute forcing

Operational Best Practices

  • Limit recursion to trusted clients.
  • Restrict zone transfers to known secondaries.
  • Monitor query volume and suspicious NXDOMAIN rates.
  • Keep forward and reverse zones synchronized.
  • Validate zone files before deployment and track serial changes.

Practical Takeaways

  • DNS is both a naming system and a metadata source so treat it as sensitive.
  • Misconfigurations often leak more than intended, lock down recursion and transfers.
  • Document DNS changes and verify zone integrity after edits.
  • Enumeration should remain scoped, authorized, and rate‑limited.

This post provides a foundational, security‑focused overview of DNS, with emphasis on correct configuration and responsible enumeration.

Cybersecurity
DNS networking security enumeration
This post is licensed under CC BY-NC-ND 4.0 by the author.