★Kali信息收集~4.DNS系列
★.1host:DNS信息
参数:
一般情况下,host查找的是A,AAAA,和MX的记录
案例:
- DNS服务器查询
host -t ns 域名
- A记录和MX记录查询
host 域名(host -t a 域名 + host -t mx 域名)
PS:A (Address) 记录是用来指定主机名(或域名)对应的IP地址记录。用户可以将该域名下的网站服务器指向到自己的web server上。同时也可以设置您域名的子域名。通俗来说A记录就是服务器的IP,域名绑定A记录就是告诉DNS,当你输入域名的时候给你引导向设置在DNS的A记录所对应的服务器。 PS:MX记录也叫做邮件路由记录,用户可以将该域名下的邮件服务器指向到自己的mail server上,然后即可自行操控所有的邮箱设置。您只需在线填写您服务器的IP地址,即可将您域名下的邮件全部转到您自己设定相应的邮件服务器上。简单的说,通过操作MX记录,您才可以得到以您域名结尾的邮局。
4.2Dig :DNS挖掘
- 参数: root@Kali:/home/dnt# dig -h Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} {global-d-opt} host [@local-server] {local-d-opt} [ host [@local-server] {local-d-opt} [...]] Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] (Use ixfr=version for type ixfr) q-opt is one of: -x dot-notation (shortcut for reverse lookups) -i (use IP6.INT for IPv6 reverse lookups) -f filename (batch mode) -b address[#port] (bind to source address/port) -p port (specify port number) -q name (specify query name) -t type (specify query type) -c class (specify query class) -k keyfile (specify tsig key file) -y [hmac:]name:key (specify named base64 tsig key) -4 (use IPv4 query transport only) -6 (use IPv6 query transport only) -m (enable memory usage debugging) d-opt is of the form +keyword[=value], where keyword is: +[no]vc (TCP mode) +[no]tcp (TCP mode, alternate syntax) +time=### (Set query timeout) [5] +tries=### (Set number of UDP attempts) [3] +retry=### (Set number of UDP retries) [2] +domain=### (Set default domainname) +bufsize=### (Set EDNS0 Max UDP packet size) +ndots=### (Set NDOTS value) +[no]edns[=###] (Set EDNS version) [0] +[no]search (Set whether to use searchlist) +[no]showsearch (Search with intermediate results) +[no]defname (Ditto) +[no]recurse (Recursive mode) +[no]ignore (Don't revert to TCP for TC responses.) +[no]fail (Don't try next server on SERVFAIL) +[no]besteffort (Try to parse even illegal messages) +[no]aaonly (Set AA flag in query (+[no]aaflag)) +[no]adflag (Set AD flag in query) +[no]cdflag (Set CD flag in query) +[no]cl (Control display of class in records) +[no]cmd (Control display of command line) +[no]comments (Control display of comment lines) +[no]rrcomments (Control display of per-record comments) +[no]question (Control display of question) +[no]answer (Control display of answer) +[no]authority (Control display of authority) +[no]additional (Control display of additional) +[no]stats (Control display of statistics) +[no]short (Disable everything except short form of answer) +[no]ttlid (Control display of ttls in records) +[no]all (Set or clear all display flags) +[no]qr (Print question before sending) +[no]nssearch (Search all authoritative nameservers) +[no]identify (ID responders in short answers) +[no]trace (Trace delegation down from root [+dnssec]) +[no]dnssec (Request DNSSEC records) +[no]nsid (Request Name Server ID) +[no]sigchase (Chase DNSSEC signatures) +trusted-key=#### (Trusted Key when chasing DNSSEC sigs) +[no]topdown (Do DNSSEC validation top down mode) +[no]split=## (Split hex/base64 fields into chunks) +[no]multiline (Print records in an expanded format) +[no]onesoa (AXFR prints only one soa record) +[no]keepopen (Keep the TCP socket open between queries) global d-opts and servers (before host name) affect all queries. local d-opts and servers (after host name) affect only that lookup. -h (print help and exit) -v (print version and exit)
- 常用:dig 域名 any
root@Kali:/home/dnt# dig cnblogs.com any ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> cnblogs.com any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18664 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnblogs.com. IN ANY ;; ANSWER SECTION: cnblogs.com. 5 IN NS ns4.dnsv4.com. cnblogs.com. 5 IN NS ns3.dnsv4.com. ;; Query time: 2010 msec ;; SERVER: 192.168.232.2#53(192.168.232.2) ;; WHEN: Thu Dec 24 23:19:22 CST 2015 ;; MSG SIZE rcvd: 71
4.3NS Lookup :DNS裤子
Windows+Linux都自带
nslookup最简单的用法就是查询域名对应的IP地址,包括A记录和CNAME记录
帮助文档:man nslookup
我们看看windows里面的帮助文档(明了一点)
常用命令:nslookup
0.设置默认服务器
server 8.8.8.8
1.简单查询域名信息
> set type=any
> cnblogs.com
2.查询域名CNAME记录(别名指向)
> set type=cname
> cnblogs.com
3.查询域名A记录(通俗来说A记录就是服务器的IP,域名绑定A记录就是告诉DNS,当你输入域名的时候给你引导向设置在DNS的A记录所对应的服务器)
4.查询域名MX记录(邮件记录)
> set type=mx
> cnblogs.com
5.查询域名ns记录(域名所使用的DNS)
不懂什么意思?给你看个图:
在不懂就百度谷歌吧