The Domain Name System (DNS) is often called the 'phonebook of the internet,' but for hackers, it is much more than that. DNS is a goldmine for reconnaissance, a vector for attacks, and a covert channel for data exfiltration. In this lesson, you will learn how DNS works and how attackers exploit it.
When you type 'www.example.com' into your browser, a DNS resolver performs a recursive lookup to find the IP address. The process involves multiple server types in a specific hierarchy.
DNS Resolution Process:
1. Browser checks local cache → Not found
2. OS checks /etc/hosts and local cache → Not found
3. Query sent to configured DNS resolver (e.g., 8.8.8.8)
4. Resolver queries Root Server (.) → Refers to .com TLD
5. Resolver queries TLD Server (.com) → Refers to ns1.example.com
6. Resolver queries Authoritative Server (ns1.example.com) → Returns 93.184.216.34
7. Resolver caches result and returns IP to client
8. Browser connects to 93.184.216.34| Record Type | Purpose | Hacker Relevance |
|---|---|---|
| A | Maps domain to IPv4 address | Target identification |
| AAAA | Maps domain to IPv6 address | IPv6 target discovery |
| CNAME | Canonical name (alias) | Finding related subdomains, cloud services |
| MX | Mail server | Email infrastructure mapping, phishing targets |
| NS | Name server | Identifying DNS infrastructure |
| TXT | Text records | Domain verification strings, SPF/DKIM info leakage |
| SOA | Start of authority | Domain admin email, zone transfer info |
| PTR | Reverse lookup (IP to domain) | Passive reconnaissance, identifying hosts |
DNS is one of the most valuable passive and active reconnaissance tools available. Here are the key techniques every hacker should know:
💡 Zone transfers (AXFR) are one of the most valuable DNS misconfigurations. If a DNS server allows zone transfers to anyone, you get a complete list of every host in the domain — including internal servers that were never meant to be public.
DNS queries are rarely blocked by firewalls because the internet literally cannot function without DNS. Attackers exploit this by tunneling data through DNS queries and responses. Tools like dnscat2 and iodine create full tunnels over DNS, allowing command-and-control (C2) communication and data exfiltration even in heavily restricted environments.
DNS Exfiltration Concept:
Attacker controls: evil.com (authoritative DNS server)
Compromised host encodes data in subdomain queries:
base64data1.evil.com → DNS query logged by attacker's server
base64data2.evil.com → More data exfiltrated
base64data3.evil.com → Even more data
Attacker decodes subdomains to reconstruct stolen data.
C2 commands sent back via DNS TXT record responses.DNS traditionally uses UDP (no connection state), making it vulnerable to spoofing. An attacker who can forge a DNS response faster than the legitimate server can 'poison' the resolver's cache, causing it to return a malicious IP address. This is the basis of DNS spoofing attacks used in man-in-the-middle scenarios.
⚠️ DNS cache poisoning attacks against real infrastructure are serious crimes. DNSSEC was designed to mitigate this by cryptographically signing DNS responses. Always practice these techniques in isolated lab environments.
Verify exercises to earn ★ 140 XP and unlock next lab level.