Introduction

This article outlines how to perform DNS enumeration using the Dig tool in Linux, which is used to troubleshoot and gather information about DNS servers. It begins by explaining the fundamental role of a DNS server in translating domain names into IP addresses, differentiating between various DNS server types such as rootTLDrecursive, and authoritative servers.

The core of the explanation focuses on DNS records (e.g., A, MX, CNAME, TXT) and how Dig can query specific record types to reveal valuable information about a domain, including IP addressesmail servers, and text-based data.

I also demonstrate how to use Dig to find hidden flags in DNS records and manipulate queries by specifying different DNS servers or requesting short or detailed answers.

I also provided the answers of the room TryHackMe Dig Dug.

What is DNS enumeration, and how does the Dig tool facilitate it?

DNS enumeration is a process that aims to display all of the records associated with a domain name. When you enumerate a domain name, you are looking for its DNS records, which provide information on how the domain is accessed.

There are several types of DNS records:

A record: Contains the IP address of the domain…. By default, Dig performs DNS enumeration on the A record.

MX records: Contain information about the email server used by the domain, such as whether it’s local, Microsoft, Google, Yandex, or Yahoo.

Cname records: Used if the domain employs a www. subdomain.

Text records: Contain relevant text information, often for verification purposes for third-party websites integrated with the domain, such as Google Search Console…. These records can sometimes store specific information like a flag in a TryHackMe room scenario….

The Dig tool (Domain Information Groper) is a Linux tool used for DNS enumeration and troubleshooting. It facilitates DNS enumeration in several ways:

  1. Basic Query: You can start a general DNS enumeration by simply typing dig followed by the domain name.

2. Default A Record Query: By default, Dig will enumerate or perform DNS enumeration on the A record of a domain4. When you execute a dig command, you should focus on the answer section, which contains information returned from the DNS server. This section includes details such as the domain name, TTL (Time To Live, which denotes the time left for the server to refresh DNS record values), the queried record type (e.g., A record), and the IP address.

3.Specifying Record Types: You can specify the type of DNS record you wish to enumerate by adding the record name after the domain name in the dig command (e.g., dig google.com a, dig givemetheflag.com mx, dig givemetheflag.com text). To query all possible records, you can use any (e.g., dig domain.com any).

4.Querying Specific DNS Servers: If the default local DNS server does not have the answer for a query, Dig will not return the information. To get answers, you may need to ask another DNS server. This is done by specifying the IP address of the desired DNS server using @ before the IP address (e.g., dig @8.8.8.8 google.com to query Google’s DNS server, or dig @10.10.X.X givemetheflag.com to query a specific machine’s DNS server). Changing the DNS server being queried is noted as a crucial step in retrieving desired answers.

5.Controlling Output Display:

+short: This option allows you to display a short answer, providing only the value or values of the DNS records. For example, dig google.com +short would return only the IP addresses.

+noall +answer: This option provides a detailed answer section, including information like the Dig version and a comprehensive breakdown of the query results.

In a practical scenario, such as finding a flag hidden in a DNS record, Dig can be used to query different record types (like text records) and specify a particular DNS server until the desired information is retrieved.

What’s a DNS Server?

Think of it as the internet’s phonebook. When you type a website name like “google.com” into your browser, a DNS server is what translates that name into an IP address, which is a string of numbers that computers use to find each other. Without DNS, you’d have to remember a bunch of long, complicated numbers just to check your email!

Four main types of DNS servers:

  • Root DNS Servers: These are the big bosses at the top of the DNS hierarchy. They know how to find the right servers for top-level domains.
  • TLD Name Servers: These servers are in charge of specific top-level domains, like all the “.com” or “.org” websites.
  • Recursor DNS Servers: These are usually your local DNS servers, and they’re great at caching IP addresses to speed things up. If they don’t have the answer you’re looking for, they’ll go ask other DNS servers for help.
  • Authoritative DNS Servers: These are the ultimate source of truth for a specific domain. They hold all the official DNS records.

So, What’s DNS Enumeration?

DNS enumeration is basically the process of listing out all the DNS records for a particular domain. These records tell you all sorts of important things about how a domain is set up and how to access it. Here are a few of the most common types of records:

  • A Record: This is the most basic one. It just contains the IP address of the domain.
  • MX Records: These records tell you where a domain’s email is handled, so you’ll often see names like Google or Microsoft in there.
  • CNAME Records: These are for aliases. For example, a CNAME record could point “www.example.com” to “example.com.”
  • TXT Records: These can hold all sorts of text-based information. They’re often used for things like verifying that you own a domain with a service like Google Search Console.

Getting Your Hands Dirty with the ‘dig’ Tool

Now for the fun part! The dig tool is a command-line utility in Linux that lets you poke around and see what’s going on with a domain’s DNS.

The Basics:

If you just type dig followed by a domain name (like dig google.com), it will automatically look for the “A record” and show you the IP address.

Getting Specific:

You can also tell dig to look for a specific type of record. For example, if you want to find the email servers for a domain, you’d type dig example.com MX.

Changing Your Perspective:

Sometimes, your local DNS server might not have the information you’re looking for. In that case, you can tell dig to ask a different DNS server. You do this with the “@” symbol, followed by the IP address of the server you want to ask. For instance, you could use Google’s public DNS server like this: dig @8.8.8.8 google.com.

A Few More ‘dig’ Tricks

There are a few extra options you can use with dig to make your life easier:

  • +short: This gives you a nice, clean output with just the values of the DNS records.
  • +noall +answer: This gives you a detailed answer but cuts out all the extra fluff.
  • ANY: This tries to pull all the available DNS records for a domain, but sometimes the server might not want to share everything.

The main takeaway from the video is that if you’re not finding what you’re looking for with dig, try switching up the DNS server you’re querying. It can make all the difference!

Room Answers | TryHackMe Dig Dug

Retrieve the flag from the DNS server!

flag{0767ccd06e79853318f25aeb08ff83e2}

Video Walk-Through

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles