Job assinged me to do a "DNS Pentest", need help and advice

I was assigned to do a “DNS pentest”. That’s what they call but I have no idea where to start with or what do I need to ask the Network team. Do I need some credentials or anything? Appreciate all the answers.


Try the following:

  • Data Exfil over DNS
  • C2 comms over DNS
  • Test for sinkholing using a list of known bad URLs
  • Test if Zone Transfers are allowed
  • Are your DNS servers vulnerable?

That halps man. TY

Did you talk to them and ask them what their threat model is?

1 Like

Definitely this. When faced with ambiguous projects it’s always best to have a discussion with the client and clarify what they are trying to achieve.

What about instances where the client doesn’t have a threat model for their assets but still ask for ambiguous stuff like a “DNS Pentest”?

It depends on the client, some will have a threat model and very specific requirements others will not. But the latter will usually have some risks they are thinking about.

The project also probably scoped and sold by someone who might have some more info, so worth flowing up with that person.

Worst case scenario, no one really has any clue. In that case consider your scope. Is it a public facing DNS, or an internal one? Do you have access to the server or is it an unauthenticated test? And so on, try to build a picture and figure out what the best use of your time would be.

You need some checklist like this: Checklist: Secure Your DNS Server

Like What’s the first thing comes into your mind if a corporate says “You go do DNS pentesting on our company” with no information what they wanna test. More like go do your research what I can execute and pentest it. Any suggestions? Checklists? What kind of questions I gotta ask the team?

Ask for admin credentials and do a full review of the operating system and DNS service configuration. Make sure things are up to date, and hardened.

CIS Benchmarks can be found for most things and will cover most hardening things. Investigate potential privilege escalation attacks.

Should probably take you about 2 days, and this includes writing your report.

If they won’t provide you with credentials, get on the same network and poke whatever services are exposed.

DNS data exfiltration is also a thing, but it’s fairly specific in terms of when it would be an issue. XFLTreat is a great tool for this and covers multiple protocols iirc.

1 Like

Thank you so much