Determine Rogue DNS for IP Space

Posted on Updated on

Determining what domains are registered to a network is important to both attackers and defenders. Attackers have been performing DNS recon for years, but defenders generally do not use this technique. Why would we need to? We can just get a dump of the DNS database and search it. Well this only works for domains that you control, but users can point to your IP space with a different domain name and you would never know about it. This could be a legitimate subsidiary standing up a site, or it could be a rogue server “borrowing bandwidth”. Either way it’s better to know these things before attackers do.

I wrote a bash script (Tested on Ubuntu and OSX) to use the robtex’s website to determine what DNS names have been assigned to a specific network. Their website looks up DNS names based on class C networks. For class A and B networks, it will break them down into class c networks and query the site. The results are displayed to standard out in csv format.

Lets try this out on a Google subnet.

#nslookup google.com
Name: google.com Address: 74.125.67.105
#./dns_recon.sh 74.125.67 >74.125.67.csv

The file looks like this.

#head 74.125.67.csv
 gw-in-f16.1e100.net,a,74.125.67.16
 gw-in-f17.1e100.net,a,74.125.67.17
 gw-in-f18.1e100.net,a,74.125.67.18
 mail.miamichildrensmuseum.org,a,74.125.67.18
 gw-in-f19.1e100.net,a,74.125.67.19
 gmr-test.google.com,a,74.125.67.23
 gw-in-f23.1e100.net,a,74.125.67.23
 a.mx.systembrasil.com.br,a,74.125.67.27
 alt2.aspmx.l.ipmgr.net,a,74.125.67.27
 alt22.aspmx.l.google.com,a,74.125.67.27

Lets quickly see what other domains besides google.com are listed by filtering out google.com. You can also import this into a spreadsheet and filter your results with it.

#grep -v google.com 74.126.76.txt
...(trunckated)
velure.info,a,74.125.67.100
youtube.ca,a,74.125.67.100
youtube.co.il,a,74.125.67.100
youtube.co.in,a,74.125.67.100
...(truncated)

This technique has worked out great for me. I have the user agent set as a Yahoo crawler, but you can change the variable to anything you like.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s