nmap -sS -sU -p53 -n 10.50.96.0/23
Sometimes DNS only accepts communication from port 53. We can then set the source port as p53 to get around this.
Note that when you specify a source port, Hping takes it as a base port and increases it as every packet sent. You can use the –k (keep) option to prevent this behavior.
nmap -sS --source-port 53 -p 53 10.50.97.0/24
OR
hping3 -S -s 53 –k -p 53 10.50.97.25
> nslookup
> server [DNS server]
> set q=NS
> [domain]
foocampus.comnameserver = ns.foocampus.com
foocampus.comnameserver = ns1.foocampus.com
We can then get the IP address of the nameservers:
> nslookup
> server [DNS server]
> [nameserver]
nslookup can be used to do a reverse dns lookup
nslookup
>
> server <dns_server>
> <target_ip>
dig @<dns_server_ip> <hostname> +nocookie #find ip for hostname
dig @<dns_server_ip> -x <target_ip> +nocookie #find hostname for ip
forward lookups to view NS records
nslookup
>
> server <dns_server>
> set q=NS
> <domain_name>
DNS zone transfer ('I am your backup name server. Please send me all your records'). Should be configured from verified servers only. May be misconfigured to allow transfer from anywhere.
DNS servers host zones. A DNS zone is a portion of the domain name space that is served by a DNS server. For example, example.com with all its subdomains may be a zone. However, second.example.com may also be a separate zone.
DNS is a critical service. If a DNS server for a zone is not working and cached information has expired, the domain is inaccessible to all services (web, mail, and more). Therefore, each zone should have at least two DNS servers. For more critical zones, there may be even more.