Synopsis:
The recent DDoS drama with Dyn has had me reading up on Domain Name Systems (DNS). Time and time again, bad guys have proved that one of the best ways to execute a successful Distributed Denial of Service (DDoS) is to hit DNS servers.
As a pentester, name servers do come up a lot during assessments, especially during the reconnaissance phases. We still come across a few public name servers allowing zone transfers every now and then, which is always a treat, but I hardly ever look at DNS servers as an actual target. I still haven’t come across a client that’s actually willing to pay anyone to bring their services down.
The DDoS against Dyn was particularly troublesome because Dyn is a major DNS provider and the attacks caused serious outages to a number of popular sites; Twitter, Paypal, Reddit, Github, Spotify and more.
Which got me thinking; if I was a bad guy doing my recon, looking for the best name servers to hit, how would I go about it? Which name servers would I pick? Querying a domain for the name server(s) it uses is pretty straight forward, but if the name server was my target and a denial of service was my goal, I’d want to find out the opposite; how many domain names are using the target name server?
Source: https://thevivi.net/2016/11/17/dnsnitch-reverse-ns-lookups-zone-transfers/
GitHub Repository: https://github.com/V1V1/DNSnitch
Bonus: axfr.py - https://github.com/V1V1/axfr.py (script that takes a list of domains as input and attempts zone transfers on all of them against a specified name server)