★Kali資訊收集~4.DNS系列

.1host：DNS資訊

參數：

一般情況下，host查找的是A，AAAA，和MX的記錄

案例：

DNS伺服器查詢

 host -t ns 域名

A記錄和MX記錄查詢

 host 域名（host -t a 域名 + host -t mx 域名）

PS：A (Address) 記錄是用來指定主機名（或域名）對應的IP位址記錄。使用者可以将該域名下的網站伺服器指向到自己的web server上。同時也可以設定您域名的子域名。通俗來說A記錄就是伺服器的IP,域名綁定A記錄就是告訴DNS,當你輸入域名的時候給你引導向設定在DNS的A記錄所對應的伺服器。

PS：MX記錄也叫做郵件路由記錄，使用者可以将該域名下的郵件伺服器指向到自己的mail server上，然後即可自行操控所有的郵箱設定。您隻需線上填寫您伺服器的IP位址，即可将您域名下的郵件全部轉到您自己設定相應的郵件伺服器上。簡單的說，通過操作MX記錄，您才可以得到以您域名結尾的郵局。

4.2Dig ：DNS挖掘

root@Kali:/home/dnt# dig -h

Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}

{global-d-opt} host [@local-server] {local-d-opt}

[ host [@local-server] {local-d-opt} [...]]

Where: domain         is in the Domain Name System

q-class is one of (in,hs,ch,...) [default: in]

q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]

(Use ixfr=version for type ixfr)

q-opt is one of:

-x dot-notation (shortcut for reverse lookups)

-i (use IP6.INT for IPv6 reverse lookups)

-f filename (batch mode)

-b address[#port] (bind to source address/port)

-p port (specify port number)

-q name (specify query name)

-t type (specify query type)

-c class (specify query class)

-k keyfile (specify tsig key file)

-y [hmac:]name:key (specify named base64 tsig key)

-4 (use IPv4 query transport only)

-6 (use IPv6 query transport only)

-m (enable memory usage debugging)

d-opt is of the form +keyword[=value], where keyword is:

+[no]vc (TCP mode)

+[no]tcp (TCP mode, alternate syntax)

+time=### (Set query timeout) [5]

+tries=### (Set number of UDP attempts) [3]

+retry=### (Set number of UDP retries) [2]

+domain=### (Set default domainname)

+bufsize=### (Set EDNS0 Max UDP packet size)

+ndots=### (Set NDOTS value)

+[no]edns[=###] (Set EDNS version) [0]

+[no]search (Set whether to use searchlist)

+[no]showsearch (Search with intermediate results)

+[no]defname (Ditto)

+[no]recurse (Recursive mode)

+[no]ignore (Don't revert to TCP for TC responses.)

+[no]fail (Don't try next server on SERVFAIL)

+[no]besteffort (Try to parse even illegal messages)

+[no]aaonly (Set AA flag in query (+[no]aaflag))

+[no]adflag (Set AD flag in query)

+[no]cdflag (Set CD flag in query)

+[no]cl (Control display of class in records)

+[no]cmd (Control display of command line)

+[no]comments (Control display of comment lines)

+[no]rrcomments (Control display of per-record comments)

+[no]question (Control display of question)

+[no]answer (Control display of answer)

+[no]authority (Control display of authority)

+[no]additional (Control display of additional)

+[no]stats (Control display of statistics)

+[no]short (Disable everything except short

form of answer)

+[no]ttlid (Control display of ttls in records)

+[no]all (Set or clear all display flags)

+[no]qr (Print question before sending)

+[no]nssearch (Search all authoritative nameservers)

+[no]identify (ID responders in short answers)

+[no]trace (Trace delegation down from root [+dnssec])

+[no]dnssec (Request DNSSEC records)

+[no]nsid (Request Name Server ID)

+[no]sigchase (Chase DNSSEC signatures)

+trusted-key=#### (Trusted Key when chasing DNSSEC sigs)

+[no]topdown (Do DNSSEC validation top down mode)

+[no]split=## (Split hex/base64 fields into chunks)

+[no]multiline (Print records in an expanded format)

+[no]onesoa (AXFR prints only one soa record)

+[no]keepopen (Keep the TCP socket open between queries)

global d-opts and servers (before host name) affect all queries.

local d-opts and servers (after host name) affect only that lookup.

-h (print help and exit)

-v (print version and exit)

常用：dig 域名 any

 root@Kali:/home/dnt# dig cnblogs.com any

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> cnblogs.com any

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18664

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;cnblogs.com.                        IN        ANY

;; ANSWER SECTION:

cnblogs.com.                5        IN        NS        ns4.dnsv4.com.

cnblogs.com.                5        IN        NS        ns3.dnsv4.com.

;; Query time: 2010 msec

;; SERVER: 192.168.232.2#53(192.168.232.2)

;; WHEN: Thu Dec 24 23:19:22 CST 2015

;; MSG SIZE rcvd: 71

4.3NS Lookup ：DNS褲子

Windows+Linux都自帶

nslookup最簡單的用法就是查詢域名對應的IP位址，包括A記錄和CNAME記錄

幫助文檔：man nslookup

我們看看windows裡面的幫助文檔（明了一點）

常用指令：nslookup

0.設定預設伺服器

server 8.8.8.8

 1.簡單查詢域名資訊

> set type=any

> cnblogs.com

 2.查詢域名CNAME記錄(别名指向)

> set type=cname

 3.查詢域名A記錄（通俗來說A記錄就是伺服器的IP，域名綁定A記錄就是告訴DNS，當你輸入域名的時候給你引導向設定在DNS的A記錄所對應的伺服器）

 4.查詢域名MX記錄(郵件記錄)

> set type=mx

 5.查詢域名ns記錄(域名所使用的DNS)

不懂什麼意思？給你看個圖：（阿裡雲解析）

在不懂就百度谷歌吧

本文轉自毒逆天部落格園部落格，原文連結：http://www.cnblogs.com/dunitian/p/5074773.html，如需轉載請自行聯系原作者