Class 4 Lab 1 ‐ nslookup - Justin-Boyd/CIT-Class GitHub Wiki

Task 1: Execute DNS Queries

Step 1

  • Open the Windows command prompt.

Step 2

  • Run the nslookup command: type nslookup and press Enter

Step 3

  • Please enter a domain to retrieve its IP address: type google.com and press Enter. You will get the IP address (A record or CNAME) of the google.com domain name server.

Step 4

  • Change the queried DNS server to 1.1.1.1 using the following syntax: server 1.1.1.1. It will configure nslookup to query that specific DNS server and retrieve the desired records.

Step 5

  • Once connected to the DNS server (1.1.1.1), you can query the server for the target domain’s mail exchange (MX) records. Change the query to look up the MX records for Google.com, using the set command. To change the resource query type, use set q={record type} or the -type nslookup parameter.

Step 6

  • Bonus: Look for common record types such as TXT, NS, SOA, and CNAME records. It can be done by adding -type={record type} after the nslookup command.

Task 2: DNS Reconnaissance Automation

Step 1

  • Create a new text file and name the file dns.txt.

Step 2

  • Next, open the text file you just created. When the text editor opens, start the script with the @echo off command.

Step 3

  • The next command we will write is to prompt the user for the domain we will be enumerating.
REM Requests the user to input the target domain
set /p domain=enter domain to perform recon:

Step 4

  • Now that our script stores our domain from the user, we can begin adding the nslookup commands you learned in the previous steps. Add one command per line in this fashion:
REM performs txt lookup to the target domin, outputto results.txt
nslookup -type=txt %domain% >> results.txt

Step 5

  • Repeat this for the following DNS record types: TXT, NS, and MX. Remember to redirect your results to an appended file named result.txt.
REM Turns off displaying to out put of commands
@echo off


REM Requests the user to input a target domain and saves it as the value of the %domain% variable
set /p domain= enter domain to preform recon:

REM Performes a txt lookup to the target domain,outputs the results to results.txt
nslookup -type=txt %domain% >> result.txt

REM Performes a mx lookup to the target domain,outputs the results to results.txt
nslookup -type=mx %domain% >> result.txt

REM Performes a ns lookup to the target domain,outputs the results to results.txt
nslookup -type=ns %domain% >> result.txt

Step 6

  • To execute the script, save the text file as a batch script titled dns.bat and double-click the file to execute the script. Input the Google.com domain as a target domain to perform the DNS recon

Step 7

  • Open the result.txt file and inspect the results. You should see the harvested NS, TXT, and MX DNS records.

Task 3: DNS Zone Transfer

Step 1

  • Follow the procedures in the first lab task to open a nslookup prompt.

Step 2

  • Configure nslookup to query for ns records.

Step 3

  • Run a query against the zonetransfer.me domain to retrieve the ns record.

Step 4

  • Configure nslookup to utilize the server in the output of your previous step.

Step 5

  • Reset the DNS record type retrieval to any.

Step 6

  • Issue a DNS zone transfer command against zonetransfer.me using the ls command (List). Specify the -d flag to retrieve all DNS records

Step 7

  • Inspect the results. If the domain accepts zone transfers, you should see a dump of all the DNS records for the zonetransfer.me DNS zone.