Information Gathering Techniques
◾
81
What Is DNS Cache Snooping?
A DNS cache snooping attack is a process of querying DNS server to determine if it has
a resource that is cached. This would help the attacker determine what websites a user has
recently visited. The resource record can be anything: an A record,
a CNAME record, or a txt
record. We will focus on A record, which would help us to determine the site that the victim
has visited.
Now, this can be utilized when performing
social engineering attacks, which we will discuss
in the “Client Side Exploitation” chapter.
DNS cache snooping can be performed using two methods:
1. Nonrecursive method
2. Recursive method
Nonrecursive Method
This method is the easiest of the two. Here is how we can perform
a DNS cache snooping by
nonrecursive method:
1. The first step would be to ask the DNS cache for any given resource record, for example, A,
MX, and CNAME.
2. Next, we would set the “Recursion Desired” in the query to 0, which set it to perform a
nonrecursive query. This would query the system and check its DNS
cache for the particular
record. In our case, this would be “A” record.
3. If the response is cached, that is, if it finds the A record you asked for,
the response would
be valid and would return an answer, indicating that someone on that system visited that
particular website.
4. If the response is not cached, it will return a reply about another
server that can answer the
query better or it will send the root.hints DNS file contents, which contain the name and
addresses of all root DNS servers.
Examples
All this may be a bit overwhelming to you but the examples we are about to see will make things
much easier. We can primarily use dig for our example. You can also use nslookup if you are on
a Windows box.
Command (dig)
:
dig @dns_server domain A +norecurse
So the command is very simple. We would use “dig” followed by the nonrecursive
dns_server
you
want to query, followed by the domain name and then the record we are
looking for, which in this case is an “A” record. The +norecurse would be set as non-recursive.
I found a name server that would accept nonrecursive DNS queries. I used it to query rafay-
hackingarticles.net to see if someone on the server visited rafayhackingarticles.net.
Dostları ilə paylaş: