DNS
Last updated
Was this helpful?
Last updated
Was this helpful?
AD-DS (Active Directory Domain Services) rely on DNS SRV RR (service location resource records). Those records can be queried to find the location of some servers: the global catalog, LDAP servers, the Kerberos KDC and so on.
nslookup is a DNS client that can be used to query SRV records. It usually comes with the package.
The same commands can be operated the old way with nslookup.
In order to function properly, the tools need to know the domain name and which nameservers to query. That information is usually and stored in the /etc/resolv.conf or /run/systemd/resolve/resolv.conf file in UNIX-like systems.
If needed, the nameservers may be found with a port scan on the network by looking for DNS ports 53/TCP and 53/UDP.
In Active Directory Integrated DNS, reverse lookup zones are used to resolve IP addresses to hostnames. This operation relies on DNS PTR records. This allows to find the names of the hosts in a network. The presence of reverse lookup zones is not mandatory in Active Directory, hence limiting reverse lookup capabilities.
By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similarly to a zone transfer.
If zone transfers are allowed, dig can be used to request a zone transfer.
can be used for that purpose.
Alternatively, it can be achieved using .
netexec's module utilizes WMI to dump DNS information from an Active Directory DNS Server. It extracts MicrosoftDNS_ResourceRecord (complete zone information) from all found domains.
