DNS

Domain Name System - Port 53

DNS Transaction Analysis

The DNS message starts after the lower-layer headers (Ethernet + IP + UDP = usually 42 bytes on standard IPv4.
The first two bytes of the DNS payload are the TXID (in big-endian order).
The TXID value itself changes with nearly every new query and is randomized for security.
The TXID is always the same in a matching query/response pair, making it easy to spot related packets.
DNS server doesn't know the complete URL, just the host; the part after the slash is handle by HTTP.

In this example the TXID is 24 1a:

0000  00 00 00 00 00 00 00 00  00 00 00 00 08 00 45 00   ........ ......E.
0010  00 3c 51 e3 40 00 40 11  ea cb 7f 00 00 01 7f 00   .<Q.@.@. ........
0020  00 01 ec ed 00 35 00 28  fe 3b 24 1a 01 00 00 01   .....5.( .;$.....
0030  00 00 00 00 00 00 03 77  77 77 06 67 6f 6f 67 6c   .......w ww.googl
0040  65 03 63 6f 6d 00 00 01  00 01                     e.com... ..

To filter all packets with a specific TXID in Wireshark: Right-click the Transaction ID field → Apply as Filter → Selected → or use dns.id == 0xXXXX

Resolve the IP with nslookup

Start nslookup

nslookup

Specify the DNS server:

server 10.10.10.10

Now, query for the given IP address, looking up its DNS records:

10.10.10.10

Check Transfer Zones

If DNS is running over TCP try a zone transfer:

dig axfr HOST.NAME @10.10.10.29

Passive DNS (PDNS)

Bypassing Cloudflare

Services that keep historical records of DNS resolutions might have the IP address from before the site was put behind Cloudflare, or from a misconfiguration:

Look at the "A Record" history

 https://securitytrails.com

Check the "Relations" tab for linked IP addresses and the "Details" tab for passive DNS data

https://www.virustotal.com

MX Records - Mail Servers

dig MX empleologistico.com

Nmap Scripts

Bruteforce DNS Hostname

nmap -Pn -script=dns-brute domain.com

Whois Query

By nmap

nmap -script whois* domain.com

Banner Grab

nmap -n -p<PORT> --script dns-nsid <IP>

PreviousIMAP NextFTP

Last updated 4 hours ago