- These techniques can reveal your interest in the target organization to anyone in your network path, so consider using a VPN or tor to conduct searches.
- When performing "active enumeration" it is always good to ask to whitelisting your IPs whenever you perform assessments. This rules out the idea of attackers having able to avoid shunning. Whitelisting your IPs also removes false positive reports and inaccurate results
- It is important that we verify that we have the correct target domain(s) before proceeding with any of the scans/audits/assessments exercises within SAFETAG Framework. The last thing we wouldn't want to happen is to scan and enumerate target which is out of scope!)
The flexibility of having multiple options in performing a DNS enumeration activity is the key for a successful enumeration. As a practice, comparing results can help in assuring that the information we gather is accurate.
A note on DDoS Protection Services Your investigation may be blocked by DDoS protection services which operate at the DNS level such as Deflect or CloudFlare. "CloudFlair" provides some options in this case, as does tracking DNS and IP history to see if only DNS records changed.
One way to identify if a website is using DDoS service or not is by investigating it's DNS record. Since that we're working with organizations may not have enough funding to subscribe to a DNS mitigation service, lot's of time you will see them not using DDoS protection.
Server Names or your
A Record that points to a particular 3rd party CDN DDoS service such as the following examples:
- brianna.ns.cloudflare.com (Cloudflare) - toby.ns.cloudflare.com (Cloudflare) - 4k9o.x.incapdns.net (Incapsula) - e3396.dscx.akamaiedge.net (Akamai)
If these appears on your result, then there's a high probability that your target is behind DDoS service
DNS Enumerations Tools:
|Robtex||Gathers public information about IP numbers, domain names, host names, Autonomous systems, routes etc, then indexes the data in a big database and provide free access to that data||Online||Passive|
|DNSdumpster||Free domain research tool that can discover hosts related to a domain, results with banners for HTTP, FTP, SSH & Telnet||Online||Passive|
|CentralOps-Domain Dossier||Investigates domains and IP addresses. Gathers registrant information, DNS records, Network and Domain Whois Records, services scans and traceroutes||Online||Passive|
|DNSSEC Analyzer||Checks for DNSSEC keys managment and configurations records||Online||Passive|
|Recon-ng||Automated web reconnaissance framework written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help and command completion.||Script||Active|
|IntoDNS||IntoDNS checks the health and configuration of your DNS and provides report on MX records too. Provides suggestions to fix and improve findings||Online||Passive|
|YougetSignal||Helps you find other sites being hosted on a particular IP address, verifying if the target is using a shared hosting service||Online||Passive|
|DNSRecon||A Python script written by Carlos Perez for conducting DNS reconnaissance. It can enumerate general DNS records, perform zone transfers, perform reverse lookups, and brute-force subdomains among other functions. It will even perform Google scanning, automating the process we discussed in the Using Google to find subdomains section.||Script||Active|
|DNSenum||multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.||Script||Online|
DNS is inherently public information, but we can still do a lot of steps to secure any parts of it which are revealing more private information. Fortinet provides a set of good recommendations:
If the site is not protected from DDoS attacks, there are multiple resources which provide not only DDoS protection but additional security against attacks, such as:
If a zone transfer was successful, (most providers automatically limit anonymous zone transfers), you will need to work with their support team to prevent this, or switch to a different DNS provider. If your organization maintains its own DNS servers, the administrator of those servers should check the zone transfer policies to prevent anonymous transfers.