• Home »
  • Security »
  • Backtrack 4: Information Gathering: DNS: Dnstracer – Trace a chain of DNS servers to the source

Backtrack 4: Information Gathering: DNS: Dnstracer – Trace a chain of DNS servers to the source

This is going to be the second of my articles on the DNS section of Backtrack 4. While it isn’t as exciting as popping a box with the newest 0-day, passive information gathering in one of the most crucial steps of a successful pentest. Today we are going to look at Dnstracer.

Dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. The tool works by sending the specified name-server a non-recursive request for the name. If the name server does returns an authoritative answer for the name, the next server is queried. If it returns an non-authoritative answer for the name, the name servers in the authority records will be queried. The program stops if all name-servers are queried.

Notes form the man page:
1. Make sure the server you’re querying doesn’t do forwarding towards other servers, as dnstracer is not able to detect this for you.
2. It detects so called lame servers, which are name-servers which has been told to have information about a certain domain, but don’t have this information.

Lets have a look at the available options for dnstracer:

root@bt:~# dnstracer
DNSTRACER version 1.9 - (c) Edwin Groothuis - http://www.mavetju.org
Usage: dnstracer [options] [host]
        -c: disable local caching, default enabled
        -C: enable negative caching, default disabled
        -o: enable overview of received answers, default disabled
        -q <querytype>: query-type to use for the DNS requests, default A
        -r <retries>: amount of retries for DNS requests, default 3
        -s <server>: use this server for the initial request, default localhost
                     If . is specified, A.ROOT-SERVERS.NET will be used.
        -t <maximum timeout>: Limit time to wait per try
        -v: verbose
        -S <ip address>: use this source address.
        -4: don't query IPv6 servers

Lets look at a few examples of how we can use this tool:

root@bt:~# dnstracer cnn.com
Tracing to cnn.com[a] via 192.168.121.2, maximum of 3 retries
192.168.121.2 (192.168.121.2) Got answer
 |___ ns3.timewarner.net [cnn.com] (199.7.68.238) Got authoritative answer
 |___ ns5.timewarner.net [cnn.com] (204.74.109.238) Got authoritative answer
  ___ ns1.timewarner.net [cnn.com] (204.74.108.238) Got authoritative answer

This is the most simplistic use of the tool and simply shows us the name servers for cnn.com.

To narrow down our results or to prevent a flood on information we can also specify a server to begin with with the “-s” option:

root@bt:~# dnstracer -o -s ns1.timewarner.net  www.cnn.com
Tracing to www.cnn.com[a] via ns1.timewarner.net, maximum of 3 retries
ns1.timewarner.net (204.74.108.238)
 |___ dmtns01.turner.com [www.cnn.com] (157.166.226.169) Got authoritative answer
 |___ dmtns02.turner.com [www.cnn.com] (157.166.224.169) Got authoritative answer
  ___ dmtns07.turner.com [www.cnn.com] (157.166.255.15) Got authoritative answer

dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.226.26
dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.255.18
dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.255.19
dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.224.25
dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.224.26
dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.226.25
dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.255.18
dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.255.19
dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.224.25
dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.224.26
dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.226.25
dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.226.26
dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.224.26
dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.226.25
dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.226.26
dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.255.18
dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.255.19
dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.224.25

As you can see in tis example we got one more set of name servers than in our initial example. The goal here would be to keep trying until we were able to map our target all the way to the root name servers.

You can gain a little more verbose output by using the -q (query) switch and giving the soa argument:

root@bt:~# dnstracer -q soa -o  cnn.com
Tracing to cnn.com[soa] via 192.168.121.2, maximum of 3 retries
192.168.121.2 (192.168.121.2)
 |___ ns3.timewarner.net [cnn.com] (199.7.68.238) Got authoritative answer
 |___ ns1.timewarner.net [cnn.com] (204.74.108.238) Got authoritative answer
  ___ ns5.timewarner.net [cnn.com] (204.74.109.238) Got authoritative answer

ns5.timewarner.net (204.74.109.238)     cnn.com -> serial: 2010052101 mname: ns1.timewarner.net rname: hostmaster.turner.com
ns1.timewarner.net (204.74.108.238)     cnn.com -> serial: 2010052101 mname: ns1.timewarner.net rname: hostmaster.turner.com
ns3.timewarner.net (199.7.68.238)       cnn.com -> serial: 2010052101 mname: ns1.timewarner.net rname: hostmaster.turner.com

Dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. This information can be extremely valuable in a pentest.


List Price: $49.99 USD
New From: $39.99 USD In Stock
Used from: $4.42 USD In Stock

Penetration Tester's Open Source Toolkit, Vol. 2 (Paperback)

By (author): Jeremy Faircloth, Chris Hurley, Jesse Varsalone


List Price: $61.95 USD
New From: $41.33 USD In Stock
Used from: $4.17 USD In Stock

Share