DuckTank Hack Tips #1: Mapping DNS

This tip presents the idea of DNS mapping as well as some possible ways to help deter a person from mapping your network.

There are lots of things a "hacker" needs to understand if he/she wants to take advantage of your network. One of those things is your network layout or map. Networked computers typically use something called Domain Name Service (DNS for short) to equate real life IP addresses to their respective hostnames (i.e. ducktank.net.)

To check the network map of your target network, you need to know who their Domain Name Server is. You can check this from a UNIX prompt by typing the following command at the terminal window:

nslookup domain-name

With any luck, this will produce a response giving you the name and ip address of YOUR DNS server along with the hostname and ip of the target machine. At this point, you will want to change your DNS service to that target DNS, so you can see what machines it knows about (it's network map.) To do this, type in the following command:

server IP

The IP address that you should have used in the previous command was the ip address of the target DNS server. If the machine lets you connet to the new DNS server, you need a listing of all the machines that are on that network. You can do this by typing:

ls -d domain-name > file-name

At this point, if everything worked out correctly, you should have a listing of all the hostnames and ips on the target network saved in the file-name that you specified.

Okay, so we know how to map a DNS server from another domain. This is called a zone transfer. Now how do we stop it? At this point, it all fades into shades of grey depending on what OS you're using and what DNS. What it all really boils down to is turning off the zone transfer functions in your dns or bind configuration. Take a look at the appropriate man pages or documentation for your version of bind to see what you need to do.

BUT BEWARE! Turning off zone transfers won't necessarily stop the mapping. It will just slow it down in most cases. A simple shell script under UNIX can run through an entire range of ip addresses and will yield the same results as a zone transfer, except that it' s not really a zone transfer. If you allow lookups from your DNS at all, then you become vulnerable to mapping.

So, can we stop it? As I mentioned before, it all depends on your OS and the version of bind that you are using. There is a new version of bind that allows you to permit lookups by subnets or specific ip addresses. You basically set up filtering on the DNS server. Good guys can do lookups, everyone else gets rejected. This new version also allows key usage so that your DNS transactions are encrypted, yet at the same time, it is backward compatible with versions of DNS that can't use encryption yet. You can get the new version of bind at The Internet Software Consortium along with any documentation you may need. The current version number, as of this date, is 8.1.2.