**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
NSLOOKUP is a command-line tool designed for DNS interrogation. This utility enables users to send queries to DNS servers, retrieving valuable information about domain names, their corresponding IP addresses, and other DNS-related data. By employing this tool, IT professionals and network administrators can efficiently look up specific DNS records, aiding in network troubleshooting and administration tasks.
We will perform DNS information gathering about target organizations using the nslookup command-line utility.
1. Open CLI in Kali Linux.
2. Type nslookup and press enter.
3. This brings up the nslookup interactive mode, which is shown by the “>” sign. Here, type: “set type=a” and press enter. This configures nslookup to query for the IP address of a given domain.
“a” here stands for A record or Address record which is an important type of DNS record. It is used to provide an IPv4 address for its respective domain name.
4. Type the target domain name.
As we can see here, this resolves the IP address of vulnweb.com as 44.228.249.3
The first two lines in the result are “Server:” and “Address:”. This specifies that the result was directed to the default server hosted on the local machine.
A non-authoritative answer is when the response is coming from the local machine’s server but not from the server that legitimately hosts the domain vulnweb.com
5. To receive the domain’s authoritative name server type, “set type=cname”, and press enter.
“cname” here stands for CNAME record or Canonical Name record. It is a type of DNS record that redirects DNS queries to the mentioned hostname instead.
When seeking CNAME (Canonical Name) information for a domain, the query is sent directly to the name server that holds authoritative data for that specific domain. This direct approach ensures that the most accurate and up-to-date CNAME records are retrieved from the primary source of the domain’s DNS information.
6. Type the domain name “vulnweb.com” to get the authoritative nameserver’s name.
We can see here “ns1.eurodns.com” is the authoritative nameserver.
7. To get the IP address of the authoritative nameserver type “set type=a”
8. Then type the authoritative nameserver’s name (ns1.eurodns.com)
Hence, we have obtained the IP address of the authoritative nameserver.
9. We can also see that the mail server is hosted by hostmaster.eurodns.com. So, to get its IP Address type “set type=a”, then type hostmaster.eurodns.com
So here we can see that the IP address of the mail server is 80.92.65.210
Using nslookup online tool to gather DNS information
1. Open any web browser (Firefox in this case).
2. At the address, type http://www.kloth.net/services/nslookup.php and press enter.
3. The NSLOOKUP website appears as shown below: –
4. In the domain field, enter the target domain.
5. The query field shows various options that can be selected to view nameservers, DNS record types and DNS zones.
6. After entering the target domain name and selecting the query you want to explore, click on “Look it up” to get the required details.
Nameservers for testfire.net: –
These were the steps to perform DNS information gathering using nslookup.
The authoritative nameserver (Primary nameserver) contains records associated with the domains. So, if an attacker can determine this and obtain the IP address associated with it, he/she can attempt to exploit the server and perform various attacks like DOS, DDOS, URL redirection etc.
