The Domain Name System is crucial for human interaction with networks. Gathering information about a target is critical to performing a successful penetration test, and the DNS service is one of the key sources of this information. Today, I want to write about the different types of information that can be discovered by probing this service using a mix of command line tools and web resources. There are many tools available to interact with DNS, but today I’m going to cover the use of nslookup, host, and *dig *on the command line, and the netcraft website.
On a recent engagement, I discovered a huge fail in the assumptions made during the implementation of a web application. The application in question manages user password recovery and is hosted on Windows IIS. The implementation I evaluated made use of load balancing due to the number of user requests per hour. This application can hook into Active Directory authentication for user access to the various administrative functions provided by the application.