DNS footprinting is a reconnaissance technique used to gather information about a target's DNS infrastructure. It helps attackers, penetration testers, and ethical hackers understand network topology and identify vulnerabilities. DNS acts as the internet’s "phone book," translating domain names (e.g., example.com) into IP addresses (e.g., 192.168.1.1). By collecting DNS-related data, attackers map networks, uncover infrastructure details, and locate weak points for exploitation. During DNS footprinting, the following data is gathered:
- DNS Domain Names
- Computer Names
- IP Addresses
- Subdomains and Hidden Domains
- DNS Records
- DNS Zone Data
- Network-Related Information
- Server Locations and Types
- Hosts within the Network
After collecting the data, attackers use the DNS zone data to determine key hosts within the network and even prepare for social engineering attacks. The collected DNS records reveal important information about the type and location of servers, which can be used to exploit vulnerabilities or design highly targeted attacks.
Some of the main records that are important in DNS Footprinting are as follows:
| Record | Description |
|---|---|
| A | A record is an address mapping record, also known as a DNS host record. |
| MX | The mail server record specifies an SMTP email server |
| NS | It specifies the authoritative Name Server. |
| CNAME | Conical Name record, alias record used to alias a hostname to another hostname |
| SOA | Start of Authority is the authoritative Name server for the current DNS zone. |
| PTR | Pointer records, It allows a DNS resolver to provide an IP address and receive a hostname |
| TXT | Text Record, It contains machine-readable data such as DKIM. |
| HINFO | Host information record includes CPU type and OS |
| SRV | Service Records |
Procedure of DNS Footprinting
DNS Footprinting is a simple procedure, we can perform DNS Footprinting by using various tools and websites but, here we are going to look at nslookup and dig.
NSLOOKUP
Nslookup is a network administration command-line tool for querying the Domain Name System (DNS) to obtain the mapping between a domain name and IP address or other DNS records.
Nslookup's usage commands:
nslookup <target domain>
nslookup -type=<recordtype> <target domain>
Example:
DIG
Dig is a network administration command-line tool for querying the Domain Name System (DNS). Dig's usage command:
dig <target domain>
dig <target domain> <record type>
dig <target domain> any
Example:
Here in this example, we have used the second command from the above command list. We have used MX in place of record type to get information about MX records.
Output:
The above command provides the MX record as you can see in the terminal.
In this second example we have used the third command from the above command list i.e. ANY keyword, the ANY keyword just extracts all the possible records it can find on the server.
dig example.com any
Output:
Using ANY keyword provides us with all the possible records as you can see in the result.
Why DNS Footprinting Matters
They help the attackers to find the details about the websites
- Attack Surface Discovery: Reveals entry points for cyber attacks (e.g., misconfigured servers, open services).
- Network Mapping: Discovers relationships between domains, subdomains, and physical infrastructure.
- Vulnerability Identification: Reveals stale records, DNS misconfigurations, or exposed internal hosts.
- Social Engineering Prep: Collects information to use for phishing (e.g., mail server information through MX records).
Practical Attack Scenarios in DNS Footprinting
DNS footprinting is not just gathering information it may also uncover vulnerabilities that can be used by an attacker. Here are some typical attack vectors that are triggered by DNS footprinting:
Subdomain Takeover
- Companies sometimes utilize cloud platforms such as AWS (Amazon Web Services) or Azure and then abandon specific services but fail to delete their DNS entries (CNAME records) which continue to point to those retired services.
- These unused records refer to cloud platforms that don't have an active resource anymore.
- Such an unclaimed resource can be registered by an attacker on AWS or other providers.
- The subdomain then refers to the attacker's server after being registered, and the attacker gains control over the subdomain.
- The attacker is then able to host malicious content with the company's own subdomain, making it appear legitimate to victims and users.
Phishing Infrastructure
- Phishing attackers harvest MX records (Mail Exchange records) that reveal which servers process emails for a domain.
- The attacker is then able to design spoof login pages that mimic the company's email service.
- Victims are tricked into logging in using their login credentials, thinking it's the company's actual email portal.
- This enables the attacker to intercept usernames, passwords, and even multi-factor authentication tokens.
Network Mapping
Attackers merge various DNS records such as:
- A records (address records): display IP addresses allocated to a domain.
- PTR records (pointer records): enable reverse lookup to find out which domain name is mapped to an IP.
- By correlating A and PTR records, attackers can construct a complete map of the company's network, mapping active servers, internal hosts that are not visible, or machines that should not be externally exposed.
- Such a map enables attackers to prepare targeted attacks on specific machines or services.
Service Exploitation
- DNS SRV (Service) records show what services are running on what servers, including which ports they run on.
- Attackers can search for services such as databases (say, Redis or MySQL).
- If such services are incorrectly configured, out of date, or exposed, attackers can use them to steal information, inject malicious software, or gain complete control of the service.
Defensive Measure in DNS Footprinting
There are a number of defensive measures organizations can implement to minimize the amount of data that is revealed and make it more difficult for attackers to achieve.
- Restrict Zone Transfers: By default, DNS servers exchange information with each other through something called a zone transfer. If anyone can initiate a zone transfer, attackers can download the entire list of DNS records with ease. To avoid this, organizations can permit zone transfers only to authorized, trusted DNS servers which really need this information
- Avoid HINFO records: HINFO records disclose information regarding your hardware and operating system. Attackers can use this information to stage planned attacks. It is preferable to delete or avoid the creation of HINFO records.
- Remove internal IPs from public DNS: Never make internal network IPs (such as private IPs within the company) available on public DNS servers. These must remain hidden from the rest of the world.
- Monitor Suspicious Queries: Attackers tend to send massive amounts of DNS queries during scanning for subdomains or other data. Organizations need to track DNS traffic for odd patterns, such as many queries from one IP or multiple requests for various subdomains, which could be an attempt to enumerate DNS.
- DNSSEC Implementation: DNSSEC is an acronym for Domain Name System Security Extensions. It safeguards DNS information against tampering with while in transit. Without DNSSEC, individuals can perform DNS cache poisoning or spoofing, where they make the users access imposter websites. Using DNSSEC assists in authenticating that DNS responses are authentic and have not been manipulated by attackers.
Conclusion
DNS footprinting takes seemingly harmless public information and turns it into exploitable attack vectors. Defenders need to be in a "assume breach" mindset ocasionally footprint their own networks to discover exposed assets.