DNS Attacks for Pentesters: Zone Transfers, Cache Poisoning, Subdomain Takeover

Cybersecurity

DNS misconfiguration is the highest-yield recon surface on the internet. A working pentester reference for zone transfers, cache poisoning, and subdomain takeover.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 5, 2024 · 10 min read

DNS is the public face of an organisation's infrastructure. Pentest engagements that start with a thorough DNS pass uncover internal-only hostnames, forgotten cloud assets, deprecated services still cnamed to live origins, and surprisingly often a misconfigured zone transfer.

Zone transfers (AXFR)

AXFR was meant for secondary-to-primary replication. Restricted by default on modern DNS servers. Still wide open on a meaningful percentage of internet-facing nameservers in mid-market and emerging markets. A successful AXFR returns the entire zone, including hosts that were never meant to be public.

• dig axfr corp.local @ns1.corp.local
• fierce -dns corp.local for the automated path
• Test every NS record for the zone, secondaries are often the loose ones

Subdomain enumeration without AXFR

Most of the time you brute force. amass, subfinder, assetfinder, and dnsx form the standard chain. Certificate transparency logs via crt.sh are the cheapest single source for current and historical subdomains, including ones that no longer resolve.

• subfinder -d target.com -all -silent | dnsx -resp -a -aaaa -cname
• amass enum -d target.com -passive for OSINT-only mode
• crt.sh JSON endpoint piped through jq to extract distinct names

Subdomain takeover

A dangling CNAME to a third-party service where the original tenant has been deleted is the classic primitive. The attacker registers the abandoned tenant name on AWS S3, Azure Storage, GitHub Pages, Heroku, Shopify, or one of the other 50-plus vulnerable platforms tracked by EdOverflow's can-i-take-over-xyz.

1. Enumerate every CNAME for the target's zones
2. Resolve them and identify the third-party platform
3. Check whether the tenant still exists on that platform
4. Register the dangling name, serve content, and demonstrate impact

Impact varies. A blog hostname takeover is reputation damage. A takeover on the OAuth callback domain or the same-site cookie scope is account takeover. Always model what the host actually serves before triaging severity.

DNS cache poisoning

Kaminsky-style cache poisoning is largely solved by source port randomisation and DNSSEC, but partial mitigations failed in 2020 with the SAD DNS class (CVE-2020-25705) which used ICMP rate limit side channels to recover source ports. Modern open resolvers without proper rate limiting are still potentially affected. On internal networks, DNS spoofing via Responder against unauthenticated NetBIOS, LLMNR, and mDNS remains highly effective.

• Responder -I eth0 -wd for LLMNR, NBT-NS, and mDNS poisoning
• Inveigh on Windows for the same primitive
• Capture NetNTLMv2 hashes from spoofed responses, crack offline

If LLMNR is enabled on your network, a low-priv attacker on any VLAN can passively collect NetNTLMv2 hashes within minutes. Most enterprises still have it on.

Internal DNS recon for AD

AD DNS, when integrated with the directory, exposes computer accounts via DNS records. An authenticated user can dump all DNS records via adidnsdump, revealing the entire internal hostname map. ADIDNSDump from dirkjanm produces a comprehensive list in seconds.

Remediation

1. Restrict AXFR to authorised secondaries only, audit quarterly.
2. Inventory third-party CNAMEs. Decommission DNS records when the tenant is deleted, not after.
3. Disable LLMNR via the Turn Off Multicast Name Resolution GPO, disable NetBIOS over TCP/IP, and consider mDNS controls.
4. Enforce DNSSEC where business permits. Validate at the resolver, not just sign at the authoritative.
5. Monitor for anomalous TXT and CNAME changes via DNS change feeds.

DNS misconfiguration costs nothing to find and a lot to ignore. Treat the zone as production code, with reviews and a decommissioning policy, and the easy wins close fast.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.