• Home »
  • Security »
  • Backtrack 4: Information Gathering: DNS: Dnstracer – Trace a chain of DNS servers to the source

Backtrack 4: Information Gathering: DNS: Dnstracer – Trace a chain of DNS servers to the source

This is going to be the second of my articles on the DNS section of Backtrack 4. While it isn’t as exciting as popping a box with the newest 0-day, passive information gathering in one of the most crucial steps of a successful pentest. Today we are going to look at Dnstracer.

Dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. The tool works by sending the specified name-server a non-recursive request for the name. If the name server does returns an authoritative answer for the name, the next server is queried. If it returns an non-authoritative answer for the name, the name servers in the authority records will be queried. The program stops if all name-servers are queried.

Notes form the man page:
1. Make sure the server you’re querying doesn’t do forwarding towards other servers, as dnstracer is not able to detect this for you.
2. It detects so called lame servers, which are name-servers which has been told to have information about a certain domain, but don’t have this information.

Lets have a look at the available options for dnstracer:

bash

  1. root@bt:~# dnstracer
  2. DNSTRACER version 1.9 - (c) Edwin Groothuis - http://www.mavetju.org
  3. Usage: dnstracer [options] [host]
  4.         -c: disable local caching, default enabled
  5.         -C: enable negative caching, default disabled
  6.         -o: enable overview of received answers, default disabled
  7.         -q <querytype>: query-type to use for the DNS requests, default A
  8.         -r <retries>: amount of retries for DNS requests, default 3
  9.         -s <server>: use this server for the initial request, default localhost
  10.                      If . is specified, A.ROOT-SERVERS.NET will be used.
  11.         -t <maximum timeout>: Limit time to wait per try
  12.         -v: verbose
  13.         -S <ip address>: use this source address.
  14.         -4: don't query IPv6 servers

Lets look at a few examples of how we can use this tool:

bash

  1. root@bt:~# dnstracer cnn.com
  2. Tracing to cnn.com[a] via 192.168.121.2, maximum of 3 retries
  3. 192.168.121.2 (192.168.121.2) Got answer
  4.  |\___ ns3.timewarner.net [cnn.com] (199.7.68.238) Got authoritative answer
  5.  |\___ ns5.timewarner.net [cnn.com] (204.74.109.238) Got authoritative answer
  6.   \___ ns1.timewarner.net [cnn.com] (204.74.108.238) Got authoritative answer

This is the most simplistic use of the tool and simply shows us the name servers for cnn.com.

To narrow down our results or to prevent a flood on information we can also specify a server to begin with with the “-s” option:

bash

  1. root@bt:~# dnstracer -o -s ns1.timewarner.net  www.cnn.com
  2. Tracing to www.cnn.com[a] via ns1.timewarner.net, maximum of 3 retries
  3. ns1.timewarner.net (204.74.108.238)
  4.  |\___ dmtns01.turner.com [www.cnn.com] (157.166.226.169) Got authoritative answer
  5.  |\___ dmtns02.turner.com [www.cnn.com] (157.166.224.169) Got authoritative answer
  6.   \___ dmtns07.turner.com [www.cnn.com] (157.166.255.15) Got authoritative answer
  7.  
  8. dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.226.26
  9. dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.255.18
  10. dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.255.19
  11. dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.224.25
  12. dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.224.26
  13. dmtns07.turner.com (157.166.255.15)     www.cnn.com -> 157.166.226.25
  14. dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.255.18
  15. dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.255.19
  16. dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.224.25
  17. dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.224.26
  18. dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.226.25
  19. dmtns02.turner.com (157.166.224.169)    www.cnn.com -> 157.166.226.26
  20. dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.224.26
  21. dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.226.25
  22. dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.226.26
  23. dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.255.18
  24. dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.255.19
  25. dmtns01.turner.com (157.166.226.169)    www.cnn.com -> 157.166.224.25

As you can see in tis example we got one more set of name servers than in our initial example. The goal here would be to keep trying until we were able to map our target all the way to the root name servers.

You can gain a little more verbose output by using the -q (query) switch and giving the soa argument:

bash

  1. root@bt:~# dnstracer -q soa -o  cnn.com
  2. Tracing to cnn.com[soa] via 192.168.121.2, maximum of 3 retries
  3. 192.168.121.2 (192.168.121.2)
  4.  |\___ ns3.timewarner.net [cnn.com] (199.7.68.238) Got authoritative answer
  5.  |\___ ns1.timewarner.net [cnn.com] (204.74.108.238) Got authoritative answer
  6.   \___ ns5.timewarner.net [cnn.com] (204.74.109.238) Got authoritative answer
  7.  
  8. ns5.timewarner.net (204.74.109.238)     cnn.com -> serial: 2010052101 mname: ns1.timewarner.net rname: hostmaster.turner.com
  9. ns1.timewarner.net (204.74.108.238)     cnn.com -> serial: 2010052101 mname: ns1.timewarner.net rname: hostmaster.turner.com
  10. ns3.timewarner.net (199.7.68.238)       cnn.com -> serial: 2010052101 mname: ns1.timewarner.net rname: hostmaster.turner.com

Dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. This information can be extremely valuable in a pentest.

Penetration Tester’s Open Source Toolkit, Vol. 2 (Paperback)


List Price: $61.95
New From: $14.95 USD In Stock
Used from: $0.01 USD In Stock

Share