‘RECURSIVE‘ (A recursive resolver is a kind of query, in which the DNS server, who received your query will do all the job of fetching the answer in all possible ways and it sends back to you. During this process, the DNS server might also query other DNS server’s in the internet on your behalf, for the answer). We can also use non recursive method for resolving domain names.

‘NON RECURSIVE‘ (DNS Resolver already knows the answer, which is already stored in the cache)

INSTALLATION OF MASSDNS

Note : Using Kali Linux 2019, 64 bit  for installation the MASSDNS tool .

• Run kali linux on your system and open terminal and type
• git clone https://github.com/blechschmidt/massdns.git

• After cloning this repository, change the directory to massdns folder.
• Type, cd massdns

• Now, as we know you had download the tool but still you can’t install it by typing massdns because we downloaded tool contains a file called make file which needs to be executed as it has some sources which needs to be compiled in order to launch or build our tool.
• Type make to build your tool .

• Type make install to install your tool.

• After performing all the above given steps , your tool is now ready to  run and now we can easily run it by typing the command massdns

     # massdns
 Usage: massdns [options] [domainlist]
   -b  --bindto           Bind to IP address and port. (Default: 0.0.0.0:0)
       --busy-poll        Use busy-wait polling instead of epoll.
   -c  --resolve-count    Number of resolves for a name before giving up. (Default: 50)
       --drop-group       Group to drop privileges to when running as root. (Default: nogroup)
       --drop-user        User to drop privileges to when running as root. (Default: nobody)
       --flush            Flush the output file whenever a response was received.
   -h  --help             Show this help.
   -i  --interval         Interval in milliseconds to wait between multiple resolves of the same
                          domain. (Default: 500)
   -l  --error-log        Error log file path. (Default: /dev/stderr)
       --norecurse        Use non-recursive queries. Useful for DNS cache snooping.
   -o  --output           Flags for output formatting.
       --predictable      Use resolvers incrementally. Useful for resolver tests.
       --processes        Number of processes to be used for resolving. (Default: 1)
   -q  --quiet            Quiet mode.
       --rcvbuf           Size of the receive buffer in bytes.
       --retry            Unacceptable DNS response codes. (Default: REFUSED)
   -r  --resolvers        Text file containing DNS resolvers.
       --root             Do not drop privileges when running as root. Not recommended.
   -s  --hashmap-size     Number of concurrent lookups. (Default: 10000)
       --sndbuf           Size of the send buffer in bytes.
       --sticky           Do not switch the resolver when retrying.
       --socket-count     Socket count per process. (Default: 1)
   -t  --type             Record type to be resolved. (Default: A)
       --verify-ip        Verify IP addresses of incoming replies.
   -w  --outfile          Write to the specified output file instead of standard output.
 Output flags:
   S - simple text output
   F - full text output
   B - binary output
   J - ndjson output
 Advanced flags for the simple output mode:
   d - Include records from the additional section.
   i - Indent any reply record.
   l - Separate replies using a line feed.
   m - Only output reply records that match the question name.
   n - Include records from the answer section.
   q - Print the question.
   r - Prepend resolver IP address, Unix timestamp and return code to the question line.
   s - Separate packet sections using a line feed.
   t - Include TTL and record class within the output.
   u - Include records from the authority section.

• Now let’s start using this tool.
• Massdns tool is developed for bunch of domains which will be resolved in go. So we will create a file abc.txt and mention some domain names you want to resolve. We mentioned 2 domains in a abc.txt.

www.hackthebox.eu  
www.hackerearth.com

• To create a file naming abc.txt , type the command nano abc.txt .

• Now insert the two urls in the abc.txt file and save the content by Ctrl+O , then press enter and  to exit from the file Ctrl+X.

• Now according to the syntax of the usage defined by the developer , we had prepared our domain list and we already have the text file resolvers.txt built in the package by the developer.
• We can see the contents of the file resolvers.txt by first changing the directory to massdns and then typing this command #cat lists/resolvers.txt . This will display the all the resolver servers that are in the file resolvers.txt .
• Now let us resolve the two domains that we have in our file abc.txt
• For this type the command massdns –r lists/resolvers.txt abc.txt .
• After running we will get the records like name server , canonical name , A or AAAA records and some additional records .

massdns -r lists/resolvers.txt abc.txt
 Privileges have been dropped to "nobody:nogroup" for security reasons.
 Processed queries: 0
 Received packets: 0
 Progress: 0.00% (00 h 00 min 00 sec / 00 h 00 min 00 sec)
 Current incoming rate: 0 pps, average: 0 pps
 Current success rate: 0 pps, average: 0 pps
 Finished total: 0, success: 0 (0.00%)
 Mismatched domains: 0 (0.00%), IDs: 0 (0.00%)
 Failures: 0: 0.00%, 1: 0.00%, 2: 0.00%, 3: 0.00%, 4: 0.00%, 5: 0.00%, 6: 0.00%, 7: 0.00%, 8: 0.00%, 9: 0.00%, 10: 0.00%, 11: 0.00%, 12: 0.00%, 13: 0.00%, 14: 0.00%, 15: 0.00%, 16: 0.00%, 17: 0.00%, 18: 0.00%, 19: 0.00%, 20: 0.00%, 21: 0.00%, 22: 0.00%, 23: 0.00%, 24: 0.00%, 25: 0.00%, 26: 0.00%, 27: 0.00%, 28: 0.00%, 29: 0.00%, 30: 0.00%, 31: 0.00%, 32: 0.00%, 33: 0.00%, 34: 0.00%, 35: 0.00%, 36: 0.00%, 37: 0.00%, 38: 0.00%, 39: 0.00%, 40: 0.00%, 41: 0.00%, 42: 0.00%, 43: 0.00%, 44: 0.00%, 45: 0.00%, 46: 0.00%, 47: 0.00%, 48: 0.00%, 49: 0.00%, 50: 0.00%,
 Response: | Success:               | Total:
 OK:       |            0 (  0.00%) |            0 (  0.00%)
 NXDOMAIN: |            0 (  0.00%) |            0 (  0.00%)
 SERVFAIL: |            0 (  0.00%) |            0 (  0.00%)
 REFUSED:  |            0 (  0.00%) |            0 (  0.00%)
 FORMERR:  |            0 (  0.00%) |            0 (  0.00%)
 ;; Server: 206.248.95.194:53
 ;; Size: 285
 ;; Unix time: 1582114214
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54368
 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
 ;; QUESTION SECTION:
 www.hackerearth.com. IN A
 ;; ANSWER SECTION:
 www.hackerearth.com. 60 IN A 52.76.81.127
 www.hackerearth.com. 60 IN A 54.169.98.191
 www.hackerearth.com. 60 IN A 52.76.244.185
 ;; AUTHORITY SECTION:
 hackerearth.com. 1786 IN NS ns-989.awsdns-59.net.
 hackerearth.com. 1786 IN NS ns-73.awsdns-09.com.
 hackerearth.com. 1786 IN NS ns-1300.awsdns-34.org.
 hackerearth.com. 1786 IN NS ns-1709.awsdns-21.co.uk.
 ;; ADDITIONAL SECTION:
 ns-73.awsdns-09.com. 4443 IN A 205.251.192.73
 ns-989.awsdns-59.net. 2264 IN A 205.251.195.221
 ns-1300.awsdns-34.org. 9582 IN A 205.251.197.20
 ns-1709.awsdns-21.co.uk. 8646 IN A 205.251.198.173
 ;; Server: 212.94.32.32:53
 ;; Size: 90
 ;; Unix time: 1582114214
 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13441
 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 ;; QUESTION SECTION:
 www.hackethebox.eu. IN A
 ;; AUTHORITY SECTION:
 eu. 600 IN SOA nl.dns.eu. tech.eurid.eu. 1060075683 3600 1800 3600000 600
 Processed queries: 2
 Received packets: 2
 Progress: 100.00% (00 h 00 min 00 sec / 00 h 00 min 00 sec)
 Current incoming rate: 12 pps, average: 12 pps
 Current success rate: 12 pps, average: 12 pps
 Finished total: 2, success: 2 (100.00%)
 Mismatched domains: 0 (0.00%), IDs: 0 (0.00%)
 Failures: 0: 100.00%, 1: 0.00%, 2: 0.00%, 3: 0.00%, 4: 0.00%, 5: 0.00%, 6: 0.00%, 7: 0.00%, 8: 0.00%, 9: 0.00%, 10: 0.00%, 11: 0.00%, 12: 0.00%, 13: 0.00%, 14: 0.00%, 15: 0.00%, 16: 0.00%, 17: 0.00%, 18: 0.00%, 19: 0.00%, 20: 0.00%, 21: 0.00%, 22: 0.00%, 23: 0.00%, 24: 0.00%, 25: 0.00%, 26: 0.00%, 27: 0.00%, 28: 0.00%, 29: 0.00%, 30: 0.00%, 31: 0.00%, 32: 0.00%, 33: 0.00%, 34: 0.00%, 35: 0.00%, 36: 0.00%, 37: 0.00%, 38: 0.00%, 39: 0.00%, 40: 0.00%, 41: 0.00%, 42: 0.00%, 43: 0.00%, 44: 0.00%, 45: 0.00%, 46: 0.00%, 47: 0.00%, 48: 0.00%, 49: 0.00%, 50: 0.00%,
 Response: | Success:               | Total:
 OK:       |            1 ( 50.00%) |            1 ( 50.00%)
 NXDOMAIN: |            1 ( 50.00%) |            1 ( 50.00%)
 SERVFAIL: |            0 (  0.00%) |            0 (  0.00%)
 REFUSED:  |            0 (  0.00%) |            0 (  0.00%)
 FORMERR:  |            0 (  0.00%) |            0 (  0.00%)

• Similarly , if you want a particular record like A , AAAA , NS , MX , you can specify the record by  using this command massdns –r lists/resolvers.txt –t NS abc.txt . This command is used for retrieving the name server (NS) of the given domain name .

• You can also use quiet mode by running, massdns –r lists/resolvers.txt –-quiet abc.txt

# massdns -r lists/resolvers.txt --quiet  abc.txt
 ;; Server: 35.8.2.41:53
 ;; Size: 90
 ;; Unix time: 1582113398
 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18688
 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 ;; QUESTION SECTION:
 www.hackethebox.eu. IN A
 ;; AUTHORITY SECTION:
 eu. 370 IN SOA nl.dns.eu. tech.eurid.eu. 1060074961 3600 1800 3600000 600
 ;; Server: 212.1.118.3:53
 ;; Size: 90
 ;; Unix time: 1582113398
 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27638
 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 ;; QUESTION SECTION:
 www.hackerearth.eu. IN A
 ;; AUTHORITY SECTION:
 eu. 370 IN SOA nl.dns.eu. tech.eurid.eu. 1060074961 3600 1800 3600000 600

• If you want to save the results in a file, then we use this command massdns –r lists/resolvers.txt –t NS –w xyz.txt abc.txt
• This will save the results in xyz.txt and you can view the contents of this file by using command cat xyz.txt

MASSDNS VS NSLOOKUP

• We can decide the number of concurrent lookups here but we can’t  do in windows CMD.
• In windows NSLOOKUP is a command which we use to find the DNS information of any website But here we can have several lookups at the same time.
• We can have concurrent lookups by typing the command massdns –r lists/resolvers.txt –hashmapsize abc.txt
• By default it has setting to show 1000 lookups at a time but it has limit ranging between 1 to 18446744073709551615

• But windows command shell we can’t see more than one lookup.

• If we want to do the process  non recursively , we can do it by using command massdns –r lists/resolvers.txt –-norecurse abc.txt
• we can hide the whole backend process and can see the results of  the parameter –-quiet by the above command .
• We can perform many tasks and add flags according to your needs

WHY YOU SHOULD USE THIS TOOL ?

As commented by ethical hacking researcher of International Institute of Cyber Security, there are many tools for resolving DNS in the market but we choose this tool (all test are conducted in open environment):

• The time latency as compared to the other tools is very less approximately 1.5-2% of the the time taken by the other tools.
• Moreover, this tool has a list of resolvers . The list of resolvers in this tool is making resolving process fast by reducing the no. of hops and possibly allowing option you to have a shortest path for destination or in simple language you can say that the query will be less recursive .

MASSDNS VS DIG

Here is the representation of a small experiment with the another tool (dig)

• Dig is also a command line tool for querying the Domain Name System (DNS).
• Firstly we took bunch of 24 domains which were passed through both tools.
• File with domains is created, named iot.txt for 24 domains .

webmagnat.ro
 nickelfreesolutions.com
 scheepvaarttelefoongids.nl
 tursan.net
 plannersanonymous.com
 doing.fr
 saltstack.com
 deconsquad.com
 migom.com
 tjprc.org
 worklife.dk
 inno-make.com
 food-hub.org
 bikemastertool.com
 betenbewegen.de
 vk.me
 twotigersports.com
 517mrt.com
 siel.nl
 e-hps.com
 infowheel.com
 synirc.net
 abuliyan.com
 easy-ways.com

The time latency taken by dig is approximately 10 seconds in our lab setup.

dig -f iot.txt
 ; <<>> DiG 9.11.5-P1-1-Debian <<>> webmagnat.ro
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17487
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;webmagnat.ro.                  IN      A
 ;; ANSWER SECTION:
 webmagnat.ro.           10800   IN      A       85.25.207.218
 ;; AUTHORITY SECTION:
 webmagnat.ro.           10800   IN      NS      ns1.webmagnat.ro.
 webmagnat.ro.           10800   IN      NS      ns2.webmagnat.ro.
 ;; ADDITIONAL SECTION:
 ns1.webmagnat.ro.       10800   IN      A       85.25.207.218
 ns2.webmagnat.ro.       10800   IN      A       85.25.207.218
 ;; Query time: 635 msec
 ;; SERVER: 192.168.0.1#53(192.168.0.1)
 ;; WHEN: Wed Feb 19 04:25:36 PST 2020
 ;; MSG SIZE  rcvd: 125
 ; <<>> DiG 9.11.5-P1-1-Debian <<>> nickelfreesolutions.com
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27270
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;nickelfreesolutions.com.       IN      A
 ;; ANSWER SECTION:
 nickelfreesolutions.com. 600    IN      A       184.168.131.241
 ;; AUTHORITY SECTION:
 nickelfreesolutions.com. 3600   IN      NS      ns63.domaincontrol.com.
 nickelfreesolutions.com. 3600   IN      NS      ns64.domaincontrol.com.
 ;; ADDITIONAL SECTION:
 ns63.domaincontrol.com. 6454    IN      A       97.74.101.42
 ns64.domaincontrol.com. 6885    IN      A       173.201.69.42
 ;; Query time: 394 msec
 ;; SERVER: 192.168.0.1#53(192.168.0.1)
 ;; WHEN: Wed Feb 19 04:25:36 PST 2020
 ;; MSG SIZE  rcvd: 152
 ; <<>> DiG 9.11.5-P1-1-Debian <<>> scheepvaarttelefoongids.nl
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30333
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;scheepvaarttelefoongids.nl.    IN      A
 ;; ANSWER SECTION:
 scheepvaarttelefoongids.nl. 3600 IN     A       94.126.71.64
 ;; AUTHORITY SECTION:
 scheepvaarttelefoongids.nl. 3599 IN     NS      ns0.co-co.nl.
 scheepvaarttelefoongids.nl. 3599 IN     NS      ns1.co-co.nl.
 ;; ADDITIONAL SECTION:
 ns0.co-co.nl.           3599    IN      A       188.122.89.150
 ns1.co-co.nl.           3599    IN      A       141.138.205.119
 ;; Query time: 298 msec
 ;; SERVER: 192.168.0.1#53(192.168.0.1)
 ;; WHEN: Wed Feb 19 04:25:37 PST 2020
 ;; MSG SIZE  rcvd: 145
 ; <<>> DiG 9.11.5-P1-1-Debian <<>> tursan.net
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19418
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;tursan.net.                    IN      A
 ;; ANSWER SECTION:
 tursan.net.             300     IN      A       104.27.156.203
 tursan.net.             300     IN      A       104.27.157.203
 ;; AUTHORITY SECTION:
 tursan.net.             10800   IN      NS      terry.ns.cloudflare.com.
 tursan.net.             10800   IN      NS      serena.ns.cloudflare.com.
 ;; ADDITIONAL SECTION:
 terry.ns.cloudflare.com. 1568   IN      A       173.245.59.237
 serena.ns.cloudflare.com. 9826  IN      A       173.245.58.220
 ;; Query time: 177 msec
 ;; SERVER: 192.168.0.1#53(192.168.0.1)
 ;; WHEN: Wed Feb 19 04:25:37 PST 2020
 ;; MSG SIZE  rcvd: 161
 ; <<>> DiG 9.11.5-P1-1-Debian <<>> plannersanonymous.com
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32916
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;plannersanonymous.com.         IN      A
 ;; ANSWER SECTION:
 plannersanonymous.com.  3600    IN      A       209.99.64.44
 ;; AUTHORITY SECTION:
 plannersanonymous.com.  10800   IN      NS      this-domain-for-sale.com.
 plannersanonymous.com.  10800   IN      NS      ns.buydomains.com.
 ;; ADDITIONAL SECTION:
 ns.buydomains.com.      4157    IN      A       52.4.207.204
 this-domain-for-sale.com. 4157  IN      A       52.20.26.87
 ;; Query time: 371 msec
 ;; SERVER: 192.168.0.1#53(192.168.0.1)
 ;; WHEN: Wed Feb 19 04:25:37 PST 2020
 ;; MSG SIZE  rcvd: 161
 ; <<>> DiG 9.11.5-P1-1-Debian <<>> doing.fr
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23501
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;doing.fr.                      IN      A
 ;; ANSWER SECTION:
 doing.fr.               600     IN      A       91.103.232.161
 ;; AUTHORITY SECTION:
 doing.fr.               10799   IN      NS      dns2.doing-net.com.
 doing.fr.               10799   IN      NS      dns1.doing-net.com.
 ;; ADDITIONAL SECTION:
 dns1.doing-net.com.     600     IN      A       91.103.232.130
 dns2.doing-net.com.     600     IN      A       217.70.191.85
 ;; Query time: 606 msec
 ;; SERVER: 192.168.0.1#53(192.168.0.1)
 ;; WHEN: Wed Feb 19 04:25:38 PST 2020
 ;; MSG SIZE  rcvd: 136
 ; <<>> DiG 9.11.5-P1-1-Debian <<>> saltstack.com
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29255
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 5
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;saltstack.com.                 IN      A
 ;; ANSWER SECTION:
 saltstack.com.          60      IN      A       13.35.253.14
 saltstack.com.          60      IN      A       13.35.253.129
 saltstack.com.          60      IN      A       13.35.253.69
 saltstack.com.          60      IN      A       13.35.253.113
 ;; AUTHORITY SECTION:
 saltstack.com.          10800   IN      NS      ns-1074.awsdns-06.org.
 saltstack.com.          10800   IN      NS      ns-1843.awsdns-38.co.uk.
 saltstack.com.          10800   IN      NS      ns-775.awsdns-32.net.
 saltstack.com.          10800   IN      NS      ns-39.awsdns-04.com.
 ;; ADDITIONAL SECTION:
 ns-39.awsdns-04.com.    9606    IN      A       205.251.192.39
 ns-775.awsdns-32.net.   8509    IN      A       205.251.195.7
 ns-1074.awsdns-06.org.  3996    IN      A       205.251.196.50
 ns-1843.awsdns-38.co.uk. 2151   IN      A       205.251.199.51
 ;; Query time: 151 msec
 ;; SERVER: 192.168.0.1#53(192.168.0.1)
 ;; WHEN: Wed Feb 19 04:25:38 PST 2020

• The time latency by massdns is around 1-2 second for the same domains .

# massdns -r lists/resolvers.txt -w hoo.txt iot.txt
 Privileges have been dropped to "nobody:nogroup" for security reasons.
 Processed queries: 0
 Received packets: 0
 Progress: 0.00% (00 h 00 min 00 sec / 00 h 00 min 00 sec)
 Current incoming rate: 0 pps, average: 0 pps
 Current success rate: 0 pps, average: 0 pps
 Finished total: 0, success: 0 (0.00%)
 Mismatched domains: 0 (0.00%), IDs: 0 (0.00%)
 Failures: 0: 0.00%, 1: 0.00%, 2: 0.00%, 3: 0.00%, 4: 0.00%, 5: 0.00%, 6: 0.00%, 7: 0.00%, 8: 0.00%, 9: 0.00%, 10: 0.00%, 11: 0.00%, 12: 0.00%, 13: 0.00%, 14: 0.00%, 15: 0.00%, 16: 0.00%, 17: 0.00%, 18: 0.00%, 19: 0.00%, 20: 0.00%, 21: 0.00%, 22: 0.00%, 23: 0.00%, 24: 0.00%, 25: 0.00%, 26: 0.00%, 27: 0.00%, 28: 0.00%, 29: 0.00%, 30: 0.00%, 31: 0.00%, 32: 0.00%, 33: 0.00%, 34: 0.00%, 35: 0.00%, 36: 0.00%, 37: 0.00%, 38: 0.00%, 39: 0.00%, 40: 0.00%, 41: 0.00%, 42: 0.00%, 43: 0.00%, 44: 0.00%, 45: 0.00%, 46: 0.00%, 47: 0.00%, 48: 0.00%, 49: 0.00%, 50: 0.00%,
 Response: | Success:               | Total:
 OK:       |            0 (  0.00%) |            0 (  0.00%)
 NXDOMAIN: |            0 (  0.00%) |            0 (  0.00%)
 SERVFAIL: |            0 (  0.00%) |            0 (  0.00%)
 REFUSED:  |            0 (  0.00%) |            0 (  0.00%)
 FORMERR:  |            0 (  0.00%) |            0 (  0.00%)
 Processed queries: 24
 Received packets: 23
 Progress: 100.00% (00 h 00 min 01 sec / 00 h 00 min 01 sec)
 Current incoming rate: 22 pps, average: 22 pps
 Current success rate: 22 pps, average: 22 pps
 Finished total: 23, success: 23 (100.00%)
 Mismatched domains: 0 (0.00%), IDs: 0 (0.00%)
 Failures: 0: 82.61%, 1: 21.74%, 2: 0.00%, 3: 0.00%, 4: 0.00%, 5: 0.00%, 6: 0.00%, 7: 0.00%, 8: 0.00%, 9: 0.00%, 10: 0.00%, 11: 0.00%, 12: 0.00%, 13: 0.00%, 14: 0.00%, 15: 0.00%, 16: 0.00%, 17: 0.00%, 18: 0.00%, 19: 0.00%, 20: 0.00%, 21: 0.00%, 22: 0.00%, 23: 0.00%, 24: 0.00%, 25: 0.00%, 26: 0.00%, 27: 0.00%, 28: 0.00%, 29: 0.00%, 30: 0.00%, 31: 0.00%, 32: 0.00%, 33: 0.00%, 34: 0.00%, 35: 0.00%, 36: 0.00%, 37: 0.00%, 38: 0.00%, 39: 0.00%, 40: 0.00%, 41: 0.00%, 42: 0.00%, 43: 0.00%, 44: 0.00%, 45: 0.00%, 46: 0.00%, 47: 0.00%, 48: 0.00%, 49: 0.00%, 50: 0.00%,
 Response: | Success:               | Total:
 OK:       |           20 ( 86.96%) |           20 ( 86.96%)
 NXDOMAIN: |            1 (  4.35%) |            1 (  4.35%)
 SERVFAIL: |            2 (  8.70%) |            2 (  8.70%)
 REFUSED:  |            0 (  0.00%) |            0 (  0.00%)
 FORMERR:  |            0 (  0.00%) |            0 (  0.00%)
 Processed queries: 24
 Received packets: 25
 Progress: 100.00% (00 h 00 min 01 sec / 00 h 00 min 01 sec)
 Current incoming rate: 103 pps, average: 24 pps
 Current success rate: 51 pps, average: 23 pps
 Finished total: 24, success: 24 (100.00%)
 Mismatched domains: 1 (4.00%), IDs: 0 (0.00%)
 Failures: 0: 79.17%, 1: 16.67%, 2: 4.17%, 3: 0.00%, 4: 0.00%, 5: 0.00%, 6: 0.00%, 7: 0.00%, 8: 0.00%, 9: 0.00%, 10: 0.00%, 11: 0.00%, 12: 0.00%, 13: 0.00%, 14: 0.00%, 15: 0.00%, 16: 0.00%, 17: 0.00%, 18: 0.00%, 19: 0.00%, 20: 0.00%, 21: 0.00%, 22: 0.00%, 23: 0.00%, 24: 0.00%, 25: 0.00%, 26: 0.00%, 27: 0.00%, 28: 0.00%, 29: 0.00%, 30: 0.00%, 31: 0.00%, 32: 0.00%, 33: 0.00%, 34: 0.00%, 35: 0.00%, 36: 0.00%, 37: 0.00%, 38: 0.00%, 39: 0.00%, 40: 0.00%, 41: 0.00%, 42: 0.00%, 43: 0.00%, 44: 0.00%, 45: 0.00%, 46: 0.00%, 47: 0.00%, 48: 0.00%, 49: 0.00%, 50: 0.00%,
 Response: | Success:               | Total:
 OK:       |           21 ( 87.50%) |           21 ( 84.00%)
 NXDOMAIN: |            1 (  4.17%) |            1 (  4.00%)
 SERVFAIL: |            2 (  8.33%) |            3 ( 12.00%)
 REFUSED:  |            0 (  0.00%) |            0 (  0.00%)
 FORMERR:  |            0 (  0.00%) |            0 (  0.00%)

• The 8-9 seconds does not matters here but when you do this testing with 500 plus domains. The time taken by 599 domains is 11 secs, which is remarkably good.

Processed queries: 599
 Received packets: 1146
 Progress: 100.00% (00 h 00 min 11 sec / 00 h 00 min 11 sec)
 Current incoming rate: 163 pps, average: 107 pps
 Current success rate: 12 pps, average: 55 pps
 Finished total: 587, success: 587 (100.00%)
 Mismatched domains: 559 (48.78%), IDs: 0 (0.00%)
 Failures: 0: 19.25%, 1: 60.65%, 2: 14.48%, 3: 2.73%, 4: 0.85%, 5: 0.00%, 6: 0.34%, 7: 0.17%, 8: 0.00%, 9: 0.17%, 10: 0.00%, 11: 0.00%, 12: 0.00%, 13: 0.00%, 14: 0.00%, 15: 0.00%, 16: 0.00%, 17: 0.00%, 18: 0.00%, 19: 0.00%, 20: 1.02%, 21: 0.34%, 22: 0.00%, 23: 0.00%, 24: 0.00%, 25: 0.00%, 26: 0.00%, 27: 0.00%, 28: 0.00%, 29: 0.00%, 30: 0.00%, 31: 0.00%, 32: 0.00%, 33: 0.00%, 34: 0.00%, 35: 0.00%, 36: 0.00%, 37: 0.00%, 38: 0.00%, 39: 0.00%, 40: 0.00%, 41: 0.00%, 42: 0.00%, 43: 0.00%, 44: 0.00%, 45: 0.00%, 46: 0.00%, 47: 0.00%, 48: 0.00%, 49: 0.00%, 50: 0.00%,
 Response: | Success:               | Total:
 OK:       |          485 ( 82.62%) |          888 ( 77.49%)
 NXDOMAIN: |           81 ( 13.80%) |          121 ( 10.56%)
 SERVFAIL: |           21 (  3.58%) |          137 ( 11.95%)
 REFUSED:  |            0 (  0.00%) |            0 (  0.00%)
 FORMERR:  |            0 (  0.00%) |            0 (  0.00%)

• The time latency by dig tool goes approximately upto 10 minutes in the lab, which is high in comparison to massdns.

The post Scan whole internet domains, with speed of 3,50,000 domains per second appeared first on Information Security Newspaper | Hacking News.

Ethical hacking researcher details, on how to use nslookup for ethical hacking activities and help in finding various DNS Queries that can help us in information gathering phase of websites analyzing. DNS acts like an Address book for the internet. If you know any particular address name but don’t know their IP Address you can easily look it up in the address book. DNS works the same way.

For Instance it can be taken if user visits (webimprints.com) in a browser, computer will use DNS to receive the website IP Address which is 23.229.216.201.

DNS RECORD TYPES:-

DNS record types are generally used by DNS editor who make changes in Domain Name Server.

• A – SHOWS HOST IP ADDRESS
• MX – SHOWS TO DOMAIN MAIL SERVER
• CNAME – CANOMICAL NAME POINTS ONE OR SUB DOMAIN
• NS – SHOWS HOST NAME SERVER
• SRV – SHOWS SERVICE RECORDS
• PTR – MAPS IP ADDRESS TO HOSTNAME
• RP – RSEPONSIBLE PERSON
• HINFO – HOST INFORMATIN RECORD HOLDS
• TXT – WHERE RECORDS POINTS TO

The above mentioned DNS record types are commonly used are used to gather information about the website, mention ethical hacking consultants.

NOW THE NSLOOKUP:-

NSLOOKUP is used to figure out whether DNS record are configured properly or not.

• To start using NSLOOKUP, firstly a user need to open COMMAND PROMPT.
• In Windows GO TO START MENU TYPE CMD. There you can see the COMMAND PROMPT CLICK ON CMD.EXE

• After opening CMD Type NSLOOKUP:-

• Type NSLOOKUP in the COMMAND PROMPT as shown in screenshot below:

• The result will be Firstly line it will tell us the

Default Server: Unknown

And the

Address (Default Gateway).

• The Default server is Unknown because you have not set Reverse lookup zoneas, as per ethical hacking courses. Normally DNS are forward lookup queries. A reverse lookup zone is opposite to forward lookup. To enable reverse lookup you have to create PTR. To host actual domain name the PTR record maps in-addr.arpa domain name.
• The Address will be the default gateway of your ISP (INTERNET SERVICE PROVIDER).

NOW YOU CAN START WITH THE DNS RECORD TYPES:

DNS RECORD TYPE = A : SHOWS THE ADDRESS RECORD

• After above command, type particular domain name

webimprints.com

As you can see in above screenshot NSLOOKUP is showing

• Name of the server – webimprints.com
• After name you can see the Address of the server which is 23.229.216.201.
• If you type set type=A and press enter you will get the same result as shown in above image. By default NSLOOKUP command inquire the DNS server for type A records.

DNS RECORD TYPE = MX : SHOWS TO DOMAIN MAIL SERVER

• Type set type = MX and press enter
• Now type webimprints.com

In the above screen shot you see mail server. This MX record means that website of webimprints.com is having mail exchange record. MX record or you can say it mail exchange record tells the mail delivery destination for a particular domain .i.e. webimprints.com as shown above.

• As you know that first two lines shows the rDNS (Reverse DNS) of google DNS and google DNS server IP address. Which is 8.8.8.8.
• The next 5 lines shows, 5 MX (Mail Exchange) records.
• Each MX record have its own preference and the lower numbers have a higher preference. So when mail is sent is uses MX record with the lowest preference, if lowest preference MX record is not reachable than MX record with the next high preference will be used. However if the records have same value MX preference, both MX records will be used simultaneously.
• If ALT1.ASPMX.L.GOOGL.COM is down it, will be send to ALT2.ASPMX.L.GOOGLE.COM.
• If ALT2.ASPMX.L.GOOGLE.COM is down it will be send to ASPMX.L.GOOGLE.COM and this cycle goes on until the mail send.
• Each targeted domain needs have its own A record that resolves around to your ALT1.ASPMX.L.GOOGLE.COM.

DNS RECORD TYPE = CNAME : SHOWS CANONICAL NAME

• Type set type=CNAME and press enter
• Now type https://www.webimprints.com

In the above screen shot you see a canonical name points. This CNAME record means that the website of webimprints.com is having one alias name to another.

• In CNAME canonical record matches the domain or a subdomain to different domain. Each CNAME record, DNS lookups use the target domain’s DNS resolution as to indicate a resolution.
• When a name server is requested the first DNS lookup will try to find the CNAME entry with target of name server.
• CNAME record exists so that domains can have same canonical names. You should not use a CNAME record to send/receive an email, as mail server handles the mail in abrupt manner. The targeted domain for a CNAME record should also have a normal A record.

DNS RECORD TYPE = NS : SHOWS HOST NAME SERVER

• Type set type=NS and press enter
• Now type webimprints.com

In the above screen shot you see a host name server. This name server is the NS record for webimprints.com domain. This NS record means that website of webimprints.com is having 2 host DNS server.

• At rooting level its get important that there should be some trustworthy name server configured to respond to queries against a domain name, explain ethical hacking specialists.
• A nameserver is a server that has DNS package installed on it. So nameserver owned by a web host that is specifically used to manage the domain names associated with their web hosting customers.
• The request to the DNS are send randomly if one host is not responding another host will be use.

DNS RECORD TYPE = SRV : INDICATE AUTHORITY FOR DOMAIN

• Type set type=SRV and press enter
• Now type webimprints.com

SRV looks like:-

_service.protocol.webimprints.com SRV 10 0 5060 service.webimprint.com

_service.protocol.webimprints.com SRV 10 0 5020 service.webimprint.com

• SRV record is used to match the specific service that runs on the domain to a target domain. In some cases SRV allows direct traffic for some specific services.
• SRV normally defines name & transport protocol used in domain name.
• Priority of both records is coming out to be 10 and weight of both records is 0.

• Let us breaks the whole SRV record:-
  • Service- This service element should be proceeded with an underscore (_) and followed by an (.)
  • Protocol- This service element should also be proceeded with an underscore (_).
  • Domain- Here name of the domain that receive original traffic.
  • Priority- The number mentioned in red is used in setting up the target. You can set target according to your priority which allows to see fallback server to get the target server. Lowest numbers are always given high priority.
  • Weight- If two records has same priority. Than weight will be considered as the next priority.
  • Port- The services on which these ports are running TCP/UDP.
  • Target- It shows the target domain and that targeted domain should have an A record to resolve an IP address.

DNS RECORD TYPE=PTR : MAP IP ADDRESS TO HOSTNAME

• Type set type=PTR and press enter
• Now type webimprints.com
• PTR record allows RDNS (Reverse DNS) query, to match IP address to a domain. It works opposite to an A (Address) record. Take for example 2 hosts:

• For 172.16.0.1:

Type: PTR

Host: 1

Points to: host1.example.com

• For 172.16.0.2:

Type: PTR

Host: 2

Points to: host2.example.com

The PTR records will be shown in Control Panel like this:

• After PTR record, always make sure that the hosts mentioned should have A records. In above example, host1.example.com should have A record pointed to 172.16.0.1 and host2.example.com with 172.16.0.2

DNS RECORD TYPE = RP : RESPONSIBLE PERSON

• Type set type=RP and press enter
• Now type webimprints.com
• RP stores an email address who is holding the domain. RP is actually pointing out that the person is responsible for the host.
• The mailbox name stored with a single space between more information pointers.
• For instance: info.webimprints.com.info.people.webimprints.com to indicate info@webimprints.com.

DNS RECORD TYPE = HINFO : HOST INFORMATION HOLDS

• Type set type=HINFO and press enter
• Now type yourwebsite.com

HINFO looks like:-

Owner-name ttl class rr Hardware OS

IN HINFO PC-INTEL-700MHZ REDHAT LINUX

• HINFO records the host information in which it includes CPU type and OS.
• Such information is used in application protocols which communicates with operating system type and CPU of a computer.

DNS RECORD TYPE = TXT

• Type set type=TXT and press enter
• Now type webimprints.com

In the above screen shot where records is pointed. These pointed record are the TXT record for webimprints.com domain.

• This TXT record means that website of webimprints.com is having records that are not used in direct traffic.
• The TXT record provides text information of some other sources on internet. This text can be human readable or machine readable.
• TXT can holds the domain name, its contact number, address.
• TXT records can have some common uses like-Domain keys (DK), Sender Policy Framework (SPF), Domain key identified email (DKIM).

> server 8.8.8.8

Default Server: google-public-dns-a.google.com

Address: 8.8.8.8

> webimprints.com

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:



webimprints.com text =



"google-site-verification=MXyHGRdPZ908baDtS31INOP5-ULVmF0APQl3XpTlY"

• TXT records contains human readable information like:
  • Name – This is the host name for your domain as marked in RED. Domain name is automatically used in your name. Your base domain will be used by default if you leave the name blank.
  • Value – Now we are talking about what is marked in BLUE. If the quotes are not used in one or more strings it will be treated as separate strings.

Authoritative and Non-Authoritative DNS server

When you do nslookup for webimprints.com you get a response from one of your local DNS server configured in computer. The local DNS server configured in your computer is not the NS Server of webimprints.com. The response which we receive from the local DNS server configured on computer is shown as non-authoritative.

> server 192.168.1.1

Default Server: [192.168.1.1]

Address: 192.168.1.1

> webimprints.com

Server: [192.168.1.1]

Address: 192.168.1.1

Non-authoritative answer:

Name: webimprints.com

Address: 23.229.216.201

> set type=NS

> webimprints.com

Server: [192.168.1.1]

Address: 192.168.1.1

Non-authoritative answer:

webimprints.com nameserver = ns20.domaincontrol.com

webimprints.com nameserver = ns19.domaincontrol.com

>

Now if we change the DNS server to one of the NS in the list and then do a nslookup against subdomain.webimprints.com, we will get an authoritative answer back, according to ethical hacking courses. This servers have authority from webimprints.com and all other nameservers are non-authoritative nameservers.

The post Use nslookup for footprinting appeared first on Information Security Newspaper | Hacking News.