DNS in Active Directory
This article provides a basic overview of how the Domain Name System (DNS) protocol works. In this article, we will explore the basic functionality of DNS and how it is used in AD environments. DNS is a large topic and this article will only cover the fundamentals, so with that being said, lets dive in!
What is DNS?
Microsoft describes DNS as follows:
Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP/IP, and together the DNS Client and DNS Server provide computer name-to-IP address mapping name resolution services to computers and users.
DNS is a naming system that provides a simple way for users to communicate with devices on the internet without having to remember IP addresses. Instead, users make requests by providing a domain name (e.g. demo.com), which is then translated by DNS to the corresponding IP address. The diagram below demonstrates a basic DNS lookup, where the client is reaching out to the DNS server to resolve a Fully Qualified Domain Name (FQDN) to an IP address.
What are the Core Components of DNS?
The following terminology is often used when discussing the core components of DNS and are further expanded on in their own subsections below.
- Domain Names: a human-memorable name registered by a business or person (e.g. apple.com, youtube.com, ford.com, etc.).
- Name Servers: server that stores individual DNS records for a domain name. Each domain name is assigned its own name server.
- DNS Records: list the IP address of the specific server that stores a business’ web site or email accounts.
Domain Hierarchy
DNS is administrated using a hierarchy of different managed areas referred to as zones, which are a distinct part of the domain namespace delegated to a legal entity (i.e. a person, organization or company). The domain name space (i.e. domain hierarchy) is a hierarchical tree, with the DNS root domain at the top. The domain hierarchy is comprised of the following elements:
- Root Domain: is the highest domain in the hierarchy. It is the combination of the domain name and TLD.
- Top-Level Domain (TLD): is the suffix that appears at the end of a domain name.
- Second-Level Domain: domain names are the second level of a domain’s hierarchy (after the top-level domain).
- Subdomain: the third level of a domain’s hierarchy and are parts of a larger top-level domain.
The diagram below illustrates this:
DNS Servers
DNS servers fall into several categories:
- DNS Recursor: acts as a middleman between a client and a DNS nameserver, handling client queries and DNS server responses.
- Root Nameserver: accepts a recursive resolver’s query which includes a domain name, and the root nameserver responds by directing the recursive resolver to a TLD nameserver, based on the extension of that domain (.com, .net, .org, etc.).
- TLD Nameserver: hosts the last portion of a hostname (In example.com, the TLD server is “com”).
- Authoritative Nameserver: if the server has access to the requested record, it will return the IP address for the requested hostname back to the DNS recursor that made the initial request.
DNS Records
DNS records (aka zone files) are instructions that list the IP address of the specific server that stores a business’ web site or email accounts. Some of the most common DNS Record types include:
- A record: holds the IPv4 address of a domain.
- AAAA record: contains the IPv6 address for a domain.
- CNAME record: Forwards one domain or subdomain to another domain, does NOT provide an IP address.
- MX record: directs mail to an email server.
- TXT record: lets an admin store text notes in the record. These records are often used for email security.
- NS record: stores the name server for a DNS entry.
- SOA record: stores admin information about a domain.
- SRV record: specifies a port for specific services.
- PTR record: provides a domain name in reverse-lookups.
How does a DNS Lookup work?
There are a series of steps taken when performing a DNS Lookup:
- A user types ‘example.com’ into a web browser and the query travels into the Internet and is received by a DNS recursive resolver.
- The resolver then queries a DNS root nameserver (.).
- The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD.
- The resolver then makes a request to the .com TLD.
- The TLD server then responds with the IP address of the domain’s nameserver, example.com.
- Lastly, the recursive resolver sends a query to the domain’s nameserver.
- The IP address for example.com is then returned to the resolver from the nameserver.
- The DNS resolver then responds to the web browser with the IP address of the domain requested initially.
- The browser makes a HTTP request to the IP address.
- The server at that IP returns the webpage to be rendered in the browser.
The diagram below illustrates these steps.
Why is DNS used in AD Environments?
In one of my previous articles titled “Active Directory Overview”, I mentioned that the Active Directory Domain Services (AD DS) requires the DNS server role when it is being installed. According to Microsoft, AD DS uses DNS name resolution services to make it possible for clients to locate domain controllers and for the domain controllers that host the directory service to communicate with each other.
When any of the principal AD operations is performed, such as authentication, updating, or searching, computers use DNS to locate AD domain controllers. In addition, domain controllers use DNS to locate each other.
For example, when a network user with an AD user account logs in to an AD domain, the DNS Client service queries the DNS server to locate a domain controller for the AD domain. When the DNS server responds to the query and provides the domain controller’s IP address to the client, the client contacts the domain controller and the authentication process can begin.
DNS Hands-On Lab
To demonstrate how DNS in AD can be enumerated and potentially exploited, I will be using the TryHackMe room titled “Ra 2” as an example. You can find the full writeup here. Using NMAP, I found the domain name “windcorp.thm” and saw that port 53 was open (i.e. DNS):
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bindI can start by using the “dig” command to perform DNS enumeration for any useful information.
# Request any information
dig any @10.10.151.112 windcorp.thm;; ANSWER SECTION:
windcorp.thm. 600 IN A 10.10.151.112
windcorp.thm. 600 IN A 10.10.61.88
windcorp.thm. 3600 IN NS fire.windcorp.thm.
windcorp.thm. 3600 IN SOA fire.windcorp.thm. hostmaster.windcorp.thm. 291 900 600 86400 3600
windcorp.thm. 86400 IN TXT "THM{....}";; ADDITIONAL SECTION:
fire.windcorp.thm. 3600 IN A 10.10.151.112
fire.windcorp.thm. 3600 IN A 192.168.112.1
Looking at the output I can see:
- A records for the domains.
- NS record of the name server for the DNS entry.
- SOA record which stores admin information about a domain.
- TXT record which contains admin text notes.
Insecure DNS Updates
For this challenge, insecure DNS updates can be made. I can test this by attempting to add a TXT record without authenticating using nsupdate.
$ nsupdate> server 10.10.172.217
> update add test.windcorp.thm 5 TXT "This is a Test for Insecure DNS Update"
> sendNext, I can use nslookup to confirm that the TXT record has been added.
> server 10.10.172.217
Default server: 10.10.172.217
Address: 10.10.172.217#53
> set type=txt
> test.windcorp.thm
I can see that the TXT record has been successfully added! From here, you can exploit this vulnerability to perform attacks such as DNS cache poisoning or perform further enumeration.
Closing Remarks
Hopefully this short article on DNS has helped provide a basic overview of what it is and how it works. DNS is a massive topic and is worth knowing more about. Thank you for reading till the end and keep hacking! 😄
