The HOST command is a straightforward command line interface utility for performing DNS enumeration.
In safety analysis and moral hacking, DNS enumeration is the primary stage in gathering details about a goal. It’s the technique of querying all potential DNS information of a website title server, comparable to title server particulars, IP addresses, mail exchanger particulars, TTLs, and extra.
Attackers can use this DNS-enumerated data to probe inner community information.
There are quite a few DNS recon and on-line enumeration instruments out there on the web. Nevertheless, the DNS enumeration will be simply carried out with a single command line utility. That’s “HOST”.
On this article, we have a look at some helpful examples of host instructions for querying DNS particulars.
Let’s begin!
Set up
The “HOST” command might typically not be out there by default on a newly put in machine. In consequence, it’s important to manually set up it on the system. The set up course of is kind of easy.
All DNS associated instructions comparable to nslookup, dig And host are included within the “bind-utils” library. To do this, simply sort the next command within the terminal.
sudo apt-get set up dnsutils -yThis HOST command works on each MAC and Linux.
Utilization
Common syntax: The final “host” command lists the final syntax of the command and the arguments it could possibly use, in addition to a brief description of every argument.
Instance output:
┌──(geekflare㉿kali)-[~]
└─$ host
Utilization: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
[-R number] [-m flag] [-p port] hostname [server]
-a is equal to -v -t ANY
-A is like -a however omits RRSIG, NSEC, NSEC3
-c specifies question class for non-IN knowledge
-C compares SOA information on authoritative nameservers
-d is equal to -v
-l lists all hosts in a website, utilizing AXFR
-m set reminiscence debugging flag (hint|document|utilization)
-N modifications the variety of dots allowed earlier than root lookup is finished
-p specifies the port on the server to question
-r disables recursive processing
-R specifies variety of retries for UDP packets
-s a SERVFAIL response ought to cease question
-t specifies the question sort
-T permits TCP/IP mode
-U permits UDP mode
-v permits verbose output
-V print model quantity and exit
-w specifies to attend without end for a reply
-W specifies how lengthy to attend for a reply
-4 use IPv4 question transport solely
-6 use IPv6 question transport solely
To seek out the IP deal with of the area
To seek out the IP deal with of a specific area, merely cross the goal area title as an argument after the host command.
host Goal-domainInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host geekflare.com
geekflare.com has deal with 104.27.118.115
geekflare.com has deal with 104.27.119.115
geekflare.com has IPv6 deal with 2606:4700:20::681b:7673
geekflare.com has IPv6 deal with 2606:4700:20::681b:7773
geekflare.com mail is dealt with by 1 aspmx.l.google.com.
geekflare.com mail is dealt with by 5 alt1.aspmx.l.google.com.
geekflare.com mail is dealt with by 5 alt2.aspmx.l.google.com.
geekflare.com mail is dealt with by 10 alt3.aspmx.l.google.com.
geekflare.com mail is dealt with by 10 alt4.aspmx.l.google.com.
For a sophisticated search, use within the superior mode -a or -v flag choice.
Instance output:
┌──(geekflare㉿kali)-[~]
└─$ host -a geekflare.com
Attempting "geekflare.com"
;; ->>HEADER<<- opcode: QUERY, standing: NOERROR, id: 24690
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;geekflare.com. IN ANY
;; ANSWER SECTION:
geekflare.com. 3789 IN HINFO "RFC8482" ""
geekflare.com. 3789 IN RRSIG HINFO 13 2 3789 20220307065004 20220305045004 34505 geekflare.com. HW0Lfr5HazPMaACSBHmFqs94usKUljX+kONW/8Q2jwQ1QoAO9DEMjwDX rIQKODGtGnEizj2SzBF98mC2uQr7hQ==
Obtained 161 bytes from 192.168.1.1#53 in 64 msThis (-a) choice is used to seek out all area information and zone data. You too can see the native DNS server deal with used for the question.
To carry out reverse search
This command performs a reverse seek for the IP deal with and returns the host title or area title.
For instance, the syntax would appear to be this:
host target-ip-addressInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host dnsleaktest.com
dnsleaktest.com has deal with 23.239.16.110
┌──(geekflare㉿kali)-[~]
└─$ host 23.239.16.110
110.16.239.23.in-addr.arpa area title pointer li685-110.members.linode.com.
Should you copy and paste the pointer deal with (li685-110.members.linode.com.) into the online browser, you may be redirected to the web site.
To seek out area title servers
Use the -t choice to retrieve the area title servers. It’s used to specify the question sort.
Right here I cross the -t argument to seek out nameservers of a particular area title.
NS document specifies the authoritative title servers.
host -t ns target-domainInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host -t ns geekflare.com
geekflare.com title server olga.ns.cloudflare.com.
geekflare.com title server todd.ns.cloudflare.com.To question a specific area title server
Use the command under to request particulars a few particular authoritative area title server.
host target-domain [name-server]Instance output:
┌──(root💀kali)-[/home/geekflare]
└─# host geekflare.com olga.ns.cloudflare.com. 1 ⨯
Utilizing area server:
Identify: olga.ns.cloudflare.com.
Handle: 173.245.58.137#53
Aliases:
geekflare.com has deal with 104.27.118.115
geekflare.com has deal with 104.27.119.115
geekflare.com has IPv6 deal with 2606:4700:20::681b:7773
geekflare.com has IPv6 deal with 2606:4700:20::681b:7673
geekflare.com mail is dealt with by 1 aspmx.l.google.com.
geekflare.com mail is dealt with by 5 alt1.aspmx.l.google.com.
geekflare.com mail is dealt with by 5 alt2.aspmx.l.google.com.
geekflare.com mail is dealt with by 10 alt3.aspmx.l.google.com.
geekflare.com mail is dealt with by 10 alt4.aspmx.l.google.com.
To seek out area MX information
For a listing of a website’s Mail Exchanger (MX) information.
host -t MX target-domainInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host -t mx geekflare.com
geekflare.com mail is dealt with by 1 aspmx.l.google.com.
geekflare.com mail is dealt with by 5 alt1.aspmx.l.google.com.
geekflare.com mail is dealt with by 5 alt2.aspmx.l.google.com.
geekflare.com mail is dealt with by 10 alt3.aspmx.l.google.com.
geekflare.com mail is dealt with by 10 alt4.aspmx.l.google.com.This MX document is answerable for forwarding an e mail to a mail server.
To seek out area TXT information
To get a listing of a website’s TXT information (human readable details about a website server).
host -t txt target-domainInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host -t txt geekflare.com
geekflare.com descriptive textual content "google-site-verification=MRSwa454qay1S6pwwixzoiZl08kfJfkhiQIslhok3-A"
geekflare.com descriptive textual content "google-site-verification=7QXbgb492Y5NVyWzSAgAScfUV3XIAGTKKZfdpCvcaGM"
geekflare.com descriptive textual content "yandex-verification: 42f25bad396e79f5"
geekflare.com descriptive textual content "v=spf1 embody:_spf.google.com embody:mailgun.org embody:zcsend.internet ~all"
geekflare.com descriptive textual content "ahrefs-site-verification_8eefbd2fe43a8728b6fd14a393e2aff77b671e41615d2c1c6fc365ec33a4d6d0"
geekflare.com descriptive textual content "ca3-7fbfaa573ba248ddb17a618e5b46ca01"
To seek out the area’s SOA document
To get a listing of a website’s SOA (begin of authority) information
host -t soa target-domainInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host -t soa geekflare.com
geekflare.com has SOA document olga.ns.cloudflare.com. dns.cloudflare.com. 2271966690 10000 2400 604800 3600
Use the command under to match the SOA information of all authoritative title servers for a given zone (the particular portion of the DNS namespace).
host -C target-domainInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host -C geekflare.com 2 ⨯
Nameserver 173.245.58.137:
geekflare.com has SOA document olga.ns.cloudflare.com. dns.cloudflare.com. 2271966690 10000 2400 604800 3600
To seek out area CNAME information
CNAME stands for canonical title document. This DNS document is answerable for redirecting from one area to a different, that means it maps the unique area title to an alias.
Use the command under to seek out out the area’s CNAME DNS information.
host -t cname target-domainInstance output:
┌──(geekflare㉿kali)-[~]
└─$ host -t cname geekflare.com
geekflare.com has no CNAME documentIf the goal area title comprises CNAME information, they are going to be displayed after the command is run.
To seek out area TTL data
TTL stands for Time to Dwell. It’s a part of the Area Identify Server. It’s set mechanically by an authoritative title server for every DNS document.
In easy phrases, TTL refers to how lengthy a DNS server caches a document earlier than refreshing the information. Use the command under to view the TTL data of a website title.
host -v -t a target-domainInstance output:
┌──(root💀kali)-[/home/geekflare]
└─# host -v -t a geekflare.com 1 ⨯
Attempting "geekflare.com"
;; ->>HEADER<<- opcode: QUERY, standing: NOERROR, id: 2479
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;geekflare.com. IN A
;; ANSWER SECTION:
geekflare.com. 30 IN A 104.27.119.115
geekflare.com. 30 IN A 104.27.118.115
Obtained 63 bytes from 192.168.1.1#53 in 60 ms
Conclusion
I hope you discovered this text useful in studying some helpful examples of host instructions for querying DNS particulars.
You might also be serious about free on-line instruments to examine a website title’s DNS information.
