cdxy.me
Footprints on Cyber Security and Python

 

dig

基本功能

dig sina.com any @8.8.8.8 | 域 |类型|指定DNS|
xy@localhost:~$ dig sina.com 

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> sina.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48774
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 8

;; QUESTION SECTION:
;sina.com.                      IN      A

;; ANSWER SECTION:
sina.com.               8       IN      A       66.102.251.33

;; AUTHORITY SECTION:
sina.com.               83648   IN      NS      ns4.sina.com.
sina.com.               83648   IN      NS      ns4.sina.com.cn.
sina.com.               83648   IN      NS      ns1.sina.com.
sina.com.               83648   IN      NS      ns3.sina.com.cn.
sina.com.               83648   IN      NS      ns1.sina.com.cn.
sina.com.               83648   IN      NS      ns2.sina.com.
sina.com.               83648   IN      NS      ns2.sina.com.cn.
sina.com.               83648   IN      NS      ns3.sina.com.

;; ADDITIONAL SECTION:
ns1.sina.com.           22249   IN      A       114.134.80.144
ns1.sina.com.cn.        67530   IN      A       202.106.184.166
ns2.sina.com.           83647   IN      A       114.134.80.145
ns2.sina.com.cn.        67529   IN      A       61.172.201.254
ns3.sina.com.           22248   IN      A       61.172.201.254
ns3.sina.com.cn.        69459   IN      A       123.125.29.99
ns4.sina.com.           19071   IN      A       123.125.29.99
ns4.sina.com.cn.        67529   IN      A       121.14.1.22

;; Query time: 5 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Aug 29 17:30:32 2015
;; MSG SIZE  rcvd: 325

建议多指定不同的DNS服务器对其查询 202.106.0.20(北京联通DNS服务器)

控制输出

这里发现输出的东西较多,可以只显示结果

dig +noall +answer

打印结果中的第五列

xy@localhost:~$ dig +noall +answer mail.163.com any | awk '{print $5}'
mail163.yxgslb.netease.com.

反查

通过IP反查询PTR记录

dig -x 1.1.1.1
xy@localhost:~$ dig -x 121.14.1.22

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -x 121.14.1.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38163
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;22.1.14.121.in-addr.arpa.      IN      PTR

;; AUTHORITY SECTION:
14.121.in-addr.arpa.    10800   IN      SOA     dns.guangzhou.gd.cn. root.dns.guangzhou.gd.cn. 2015080401 86400 86400 3628800 172800

;; Query time: 42 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Aug 29 17:38:38 2015
;; MSG SIZE  rcvd: 102

注意IP和域名都是可以一对多或者多对一

查询bind版本

大部分DNS服务器,尤其Linux,用的都是bind 可以使用dig命令查看bind版本 如果是老版本,可以攻破,进而查出所有主机资料

xy@localhost:~$ dig +noall +answer txt chaos VERSION BIND @114.114.114.114

大多数Bind版本信息是隐藏的,查询后返回空值

如果有结果的话,到Bind网站查是否是最新版 否的话查更新包的release文档,看老版本有那些漏洞 再查漏洞进行破解

DNS Trace

如果.com根域服务器被劫持,如何知道?

这里就要甩开本地DNS缓存服务器,让电脑与.com服务器直接进行迭代通信,这时再抓包就可以看到数据传输过程

使用dig命令进行DNS追踪


xy@localhost:~$ dig +trace www.sina.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace www.sina.com
;; global options: +cmd
.                       360259  IN      NS      l.root-servers.net.
.                       360259  IN      NS      f.root-servers.net.
.                       360259  IN      NS      h.root-servers.net.
.                       360259  IN      NS      j.root-servers.net.
.                       360259  IN      NS      b.root-servers.net.
.                       360259  IN      NS      e.root-servers.net.
.                       360259  IN      NS      c.root-servers.net.
.                       360259  IN      NS      a.root-servers.net.
.                       360259  IN      NS      k.root-servers.net.
.                       360259  IN      NS      m.root-servers.net.
.                       360259  IN      NS      d.root-servers.net.
.                       360259  IN      NS      i.root-servers.net.
.                       360259  IN      NS      g.root-servers.net.
;; Received 496 bytes from 192.168.1.1#53(192.168.1.1) in 240 ms

com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
;; Received 502 bytes from 192.36.148.17#53(192.36.148.17) in 773 ms

sina.com.               172800  IN      NS      ns1.sina.com.cn.
sina.com.               172800  IN      NS      ns2.sina.com.cn.
sina.com.               172800  IN      NS      ns3.sina.com.cn.
sina.com.               172800  IN      NS      ns1.sina.com.
sina.com.               172800  IN      NS      ns2.sina.com.
sina.com.               172800  IN      NS      ns4.sina.com.
sina.com.               172800  IN      NS      ns3.sina.com.
;; Received 231 bytes from 192.43.172.30#53(192.43.172.30) in 930 ms

www.sina.com.           60      IN      CNAME   us.sina.com.cn.
us.sina.com.cn.         60      IN      CNAME   wwwus.sina.com.
wwwus.sina.com.         60      IN      A       66.102.251.33
sina.com.               86400   IN      NS      ns1.sina.com.
sina.com.               86400   IN      NS      ns2.sina.com.cn.
sina.com.               86400   IN      NS      ns4.sina.com.cn.
sina.com.               86400   IN      NS      ns1.sina.com.cn.
sina.com.               86400   IN      NS      ns4.sina.com.
sina.com.               86400   IN      NS      ns3.sina.com.cn.
sina.com.               86400   IN      NS      ns3.sina.com.
sina.com.               86400   IN      NS      ns2.sina.com.
;; Received 377 bytes from 114.134.80.145#53(114.134.80.145) in 82 ms

左侧显示出了与我的电脑直接通信的域名服务器,首先是13个点域 然后在结果中挑选一个IP继续向下查 在最后,逐级解析cname

这里建议抓包分析一下

递归查询

由于之前查过sina.com 所以这里再次使用命令查看时,抓包发现就两个包,此时发生递归查询

本机 +(递归查询)+ DNS缓存服务器 +(迭代查询)+ 各级DNS服务器