A tool that turns the authoritative nameservers of DNS providers to resolvers and resolves the target domain list. As of now the tool only resolves the A record for the list of domains.
The idea behind this tool is a product of observing how an authoritative nameserver of TARGET1
would also resolve TARGET2
provided both belonged to the same DNS Provider. So using this we could for a TARGET
collect a huge bunch of authoritative nameservers and use them as resolvers instead of using the public dns resolvers.
Proof
- Fetch
bugcrowd.com
nameservers
$ host -t ns bugcrowd.com
bugcrowd.com name server edna.ns.cloudflare.com.
bugcrowd.com name server lee.ns.cloudflare.com.
- Fetch
upserve.com
nameservers
$ host -t ns upserve.com
upserve.com name server ulla.ns.cloudflare.com.
upserve.com name server jay.ns.cloudflare.com.
- Resolve
bugcrowd.com
using upserve's nameserverjay.ns.cloudflare.com
$ nslookup bugcrowd.com jay.ns.cloudflare.com
Server: jay.ns.cloudflare.com
Address: 173.245.59.123#53
Name: bugcrowd.com
Address: 104.20.5.239
Name: bugcrowd.com
Address: 104.20.4.239
Name: bugcrowd.com
Address: 2606:4700:10::6814:5ef
Name: bugcrowd.com
Address: 2606:4700:10::6814:4ef
- Resolve
docs.bugcrowd.com
using upserve's nameserverjay.ns.cloudflare.com
$ nslookup docs.bugcrowd.com jay.ns.cloudflare.com
Server: jay.ns.cloudflare.com
Address: 173.245.59.123#53
Name: docs.bugcrowd.com
Address: 104.20.5.239
Name: docs.bugcrowd.com
Address: 104.20.4.239
Name: docs.bugcrowd.com
Address: 2606:4700:10::6814:5ef
Name: docs.bugcrowd.com
Address: 2606:4700:10::6814:4ef
- Repeating the same for
upserve.com
. Resolvingupserve.com
using bugcrowd's nameserveredna.ns.cloudflare.com
$ nslookup upserve.com edna.ns.cloudflare.com
Server: edna.ns.cloudflare.com
Address: 173.245.58.109#53
Name: upserve.com
Address: 35.221.46.9
As seen above how the authoritative nameserver's aren't tied down to their specific domain names, we could leverage the way these DNS providers are configured. We could probe into the IP range of the respective DNS Providers > grab all the active DNS servers in their range > use them as resolvers against our target list. All these servers would answer authoritatively due to their configuration as observed.
- ipcalc
sudo apt-get install ipcalc
- Interlace at the root . Interlace here is used to multi-thread
nslookup
. - Masscan
- Run
cd massNS
chmod +x massns.sh
./massns.sh target.com /path/to/taregt/domains
- if the domain has a canonical name the tool would usually output just the canonical name.
awsdns
seems to not allow this.- Truly have no idea if the authoritative nameservers would ever complain?
Other DNS providers that allow this are :
*.ns.cloudflare.com
*.*.dynect.com/net
*.ultradns.net/org/biz/com
and a lot more..
Against Paypal the tool could gather 698
authoritative nameservers turned resolvers, a combination of dns servers from both dynect
& ultradns
P.S : This is purely experimental. Please do share what you think of this approach. Thanks!