★Kali信息收集~4.DNS系列

★.1host：DNS信息

参数：

一般情况下，host查找的是A，AAAA，和MX的记录

案例：

• DNS服务器查询

   host -t ns 域名

  

     

• A记录和MX记录查询

   host 域名（host -t a 域名 + host -t mx 域名）

  

  PS：A (Address) 记录是用来指定主机名（或域名）对应的IP地址记录。用户可以将该域名下的网站服务器指向到自己的web server上。同时也可以设置您域名的子域名。通俗来说A记录就是服务器的IP,域名绑定A记录就是告诉DNS,当你输入域名的时候给你引导向设置在DNS的A记录所对应的服务器。

  PS：MX记录也叫做邮件路由记录，用户可以将该域名下的邮件服务器指向到自己的mail server上，然后即可自行操控所有的邮箱设置。您只需在线填写您服务器的IP地址，即可将您域名下的邮件全部转到您自己设定相应的邮件服务器上。简单的说，通过操作MX记录，您才可以得到以您域名结尾的邮局。

   

4.2Dig ：DNS挖掘

• 参数：

  root@Kali:/home/dnt# dig -h

  Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}

  {global-d-opt} host [@local-server] {local-d-opt}

  [ host [@local-server] {local-d-opt} [...]]

  Where: domain         is in the Domain Name System

  q-class is one of (in,hs,ch,...) [default: in]

  q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]

  (Use ixfr=version for type ixfr)

  q-opt is one of:

  -x dot-notation (shortcut for reverse lookups)

  -i (use IP6.INT for IPv6 reverse lookups)

  -f filename (batch mode)

  -b address[#port] (bind to source address/port)

  -p port (specify port number)

  -q name (specify query name)

  -t type (specify query type)

  -c class (specify query class)

  -k keyfile (specify tsig key file)

  -y [hmac:]name:key (specify named base64 tsig key)

  -4 (use IPv4 query transport only)

  -6 (use IPv6 query transport only)

  -m (enable memory usage debugging)

  d-opt is of the form +keyword[=value], where keyword is:

  +[no]vc (TCP mode)

  +[no]tcp (TCP mode, alternate syntax)

  +time=### (Set query timeout) [5]

  +tries=### (Set number of UDP attempts) [3]

  +retry=### (Set number of UDP retries) [2]

  +domain=### (Set default domainname)

  +bufsize=### (Set EDNS0 Max UDP packet size)

  +ndots=### (Set NDOTS value)

  +[no]edns[=###] (Set EDNS version) [0]

  +[no]search (Set whether to use searchlist)

  +[no]showsearch (Search with intermediate results)

  +[no]defname (Ditto)

  +[no]recurse (Recursive mode)

  +[no]ignore (Don't revert to TCP for TC responses.)

  +[no]fail (Don't try next server on SERVFAIL)

  +[no]besteffort (Try to parse even illegal messages)

  +[no]aaonly (Set AA flag in query (+[no]aaflag))

  +[no]adflag (Set AD flag in query)

  +[no]cdflag (Set CD flag in query)

  +[no]cl (Control display of class in records)

  +[no]cmd (Control display of command line)

  +[no]comments (Control display of comment lines)

  +[no]rrcomments (Control display of per-record comments)

  +[no]question (Control display of question)

  +[no]answer (Control display of answer)

  +[no]authority (Control display of authority)

  +[no]additional (Control display of additional)

  +[no]stats (Control display of statistics)

  +[no]short (Disable everything except short

  form of answer)

  +[no]ttlid (Control display of ttls in records)

  +[no]all (Set or clear all display flags)

  +[no]qr (Print question before sending)

  +[no]nssearch (Search all authoritative nameservers)

  +[no]identify (ID responders in short answers)

  +[no]trace (Trace delegation down from root [+dnssec])

  +[no]dnssec (Request DNSSEC records)

  +[no]nsid (Request Name Server ID)

  +[no]sigchase (Chase DNSSEC signatures)

  +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)

  +[no]topdown (Do DNSSEC validation top down mode)

  +[no]split=## (Split hex/base64 fields into chunks)

  +[no]multiline (Print records in an expanded format)

  +[no]onesoa (AXFR prints only one soa record)

  +[no]keepopen (Keep the TCP socket open between queries)

  global d-opts and servers (before host name) affect all queries.

  local d-opts and servers (after host name) affect only that lookup.

  -h (print help and exit)

  -v (print version and exit)

     

• 常用：dig 域名 any

   root@Kali:/home/dnt# dig cnblogs.com any

     

  ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> cnblogs.com any

  ;; global options: +cmd

  ;; Got answer:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18664

  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

     

  ;; QUESTION SECTION:

  ;cnblogs.com.                        IN        ANY

     

  ;; ANSWER SECTION:

  cnblogs.com.                5        IN        NS        ns4.dnsv4.com.

  cnblogs.com.                5        IN        NS        ns3.dnsv4.com.

     

  ;; Query time: 2010 msec

  ;; SERVER: 192.168.232.2#53(192.168.232.2)

  ;; WHEN: Thu Dec 24 23:19:22 CST 2015

  ;; MSG SIZE rcvd: 71

     

   

4.3NS Lookup ：DNS裤子

Windows+Linux都自带

nslookup最简单的用法就是查询域名对应的IP地址，包括A记录和CNAME记录

帮助文档：man nslookup

   

我们看看windows里面的帮助文档（明了一点）

常用命令：nslookup

0.设置默认服务器

server 8.8.8.8

   

 1.简单查询域名信息

> set type=any

> cnblogs.com

   

 2.查询域名CNAME记录(别名指向)

> set type=cname

> cnblogs.com

   

 3.查询域名A记录（通俗来说A记录就是服务器的IP，域名绑定A记录就是告诉DNS，当你输入域名的时候给你引导向设置在DNS的A记录所对应的服务器）

   

 4.查询域名MX记录(邮件记录)

> set type=mx

> cnblogs.com

   

 5.查询域名ns记录(域名所使用的DNS)

   

不懂什么意思？给你看个图：（阿里云解析）

在不懂就百度谷歌吧