DNS / BIND
aka BIND, named
Name service on 53. An allowed zone transfer (AXFR) dumps every record in a zone, instantly revealing subdomains and internal hosts.
Ports
| Port | Proto | Notes |
|---|---|---|
53 | tcp | zone transfers, large responses |
53 | udp | standard queries |
Fingerprint
- TCP 53 open is a strong hint that AXFR may be allowed
- version.bind CHAOS TXT query leaks the BIND version
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/named.conf | BIND config (zones, allow-transfer, keys) | sensitive |
/etc/bind/named.conf.local | zone definitions on Debian | sensitive |
/var/named/ | zone files with all records | |
/etc/bind/rndc.key | TSIG key for rndc control | sensitive |
Service users
namedbind
Exploitation primitives
- Zone transfer: dig axfr <domain> @<TARGET> dumps the whole zone (subdomains, internal IPs)
- Reverse lookups and PTR sweeps to map hosts
- Dynamic DNS updates (nsupdate) when allow-update is misconfigured
Overview
DNS on 53 is mostly a recon goldmine. When a server allows zone transfers to arbitrary clients, you get the entire zone in one request, which often exposes preprod/internal subdomains you would never have guessed.
Enumeration
Reverse lookup for the hostname:
dig @<TARGET> -x <TARGET>Attempt a zone transfer:
dig axfr <domain> @<TARGET>Leak the BIND version:
dig version.bind chaos txt @<TARGET>Add every name you recover to /etc/hosts and re-scan those vhosts.
Hardening
Restrict allow-transfer to secondary name servers only, and disable version disclosure.
Seen on these machines 2
