Passive information collection 1--dns base + DNS Resolution tool nslookup use

Features:

Based on open channel

No direct contact with the target

Avoid leaving all traces.

Standard Reference--osint:

U.S. military

North Atlantic Treaty Organization

noun explanation
dns--domain Name System domain Name Systems

A distributed database that maps the domain name and IP address on the Internet makes it easier for users to access the Internet without remembering the number of IP strings that can be read directly by the machine. The process of obtaining the IP address of the host name through the hostname is called Domain name resolution (or hostname resolution). The DNS protocol runs on top of the UDP protocol, using the port number 53. RFC 2181 has a canonical description of DNS in RFC 2136, a description of dynamic updates to DNS, and RFC 2308 describes the reverse caching of DNS queries.

Domain name--domains

Domain name, which is the name of a computer or group of computers on the Internet consisting of a dotted list of names, used to identify the electronic orientation of the computer at the time of data transfer (sometimes referred to as geographical location, geographical domain name, a local area with administrative autonomy). A domain name is a "mask" on an IP address. A domain name is designed to facilitate the memory and communication of a group of server addresses (website, email, FTP, etc.).

Example: Sina.com

fqdn--full domain name

FQDN: (Fully qualified domain name) fully qualified domain name, refers to the hostname plus the full path, all the domain members in the sequence are listed in the full path. The domain name can be logically and accurately represent where the host is, or it can be said that the full domain name is a complete representation of the host name. From the information contained in the full domain name, you can see the location of the host in the domain tree.

Example: www.sina.com

whois--Querying domain name information

Whois (read "Who is", not abbreviated) is a transport protocol used to query the IP of a domain name and the owner of such information. In short, WHOIS is a database (such as the domain owner, domain name registrar) that is used to inquire about whether a domain name has been registered and the details of registering a domain name. The use of Whois to realize the domain name information query. The early Whois query was more of a command-line interface, but now there are some web interface-Simplified online query tools that can be queried at once to different databases. Web interface query tools still rely on the WHOIS protocol to send query requests to the server, command-line interface tools are still widely used by system administrators. Whois typically uses TCP protocol 43 ports. WHOIS information for each domain/IP is maintained by the appropriate regulatory authority.

DNS resource record type

a--Host Name
This record lists the IP addresses for a specific host name. This is an important record for name resolution.
cname--aliases
This record specifies the alias of the standard host name.
mx--Mail Exchanger
This record lists the hosts responsible for receiving e-mail messages sent to the domain.

ns--Name Server
This record specifies the name server that is responsible for the given zone.

PTR record

Resolving domain names by IP reverse

spf--text

Reverse parsing, for anti-spam, reverse query mismatch proves that the message has a fake domain name behavior

DNS resolution process

DNS Client (personal computer) Browse website, enter URL (full domain name) after

The DNS server first resolves the full domain name IP, returning IP to the personal computer

The personal computer then connects and transmits data to this IP via the router.

The process in which DNS resolves domain names is as follows:

First the personal computer submits the domain name to: Cache DNS Server

Cache DNS Server local lookup, no

The cache DNS server sends the domain name to: root domain Server (www.sina.com.) Note the point at the end of the parentheses, the root domain server can only resolve a single point of the domain name

Root domain server local lookup, no, so the next layer of domain name server IP is returned to the cache DNS server

Cache DNS sends domain name information to the next tier of: COM domain servers through the obtained IP (domain name only for. com.)

Local lookup, no, return to the next layer of IP

Then by sending the domain name information to: (sina,com.) Sina Server

This is where the server is located (www.sina.com.) The corresponding IP

The SINA server returns this IP to the cache server

The cache server caches this correspondence locally, and the cache record lasts for a while for recent use

The cache server sends IP to a personal computer

A personal computer communicates via routing

This can be seen as a "." In terms of the domain name. A distributed database of layers stripped

Parsing Tools--nslookup

features

Cross-platform, built-in, practical

use

Enter the domain name directly

Default is resolve a (hostname) and CNAME (alias) when P (type) is not set

> Set q=mx ———————— mail exchange records
> sina.com ———————— Note that the field is entered here
server:192.168.1.1
address:192.168.1.1#53

Non-authoritative Answer:
Sina.com Mail exchanger = Ten freemx3.sinamail.sina.com.cn.
Sina.com Mail exchanger = 5 freemx1.sinamail.sina.com.cn.
Sina.com Mail exchanger = Ten freemx2.sinamail.sina.com.cn. --Three of them! The smaller the default value, the higher the priority, and here we see that the top and bottom two are standby machines

Authoritative answers can found from:
Sina.com nameserver = ns4.sina.com.cn.
Sina.com nameserver = ns3.sina.com.cn.
Sina.com nameserver = ns2.sina.com.
Sina.com nameserver = ns4.sina.com.
Sina.com nameserver = ns3.sina.com.
Sina.com nameserver = ns1.sina.com.
Sina.com nameserver = ns2.sina.com.cn.
Sina.com nameserver = ns1.sina.com.cn.
ns1.sina.com Internet address = 114.134.80.144
ns1.sina.com.cn Internet address = 202.106.184.166
ns2.sina.com Internet address = 114.134.80.145
ns2.sina.com.cn Internet address = 61.172.201.254
ns3.sina.com Internet address = 61.172.201.254
ns3.sina.com.cn Internet address = 123.125.29.99
ns4.sina.com Internet address = 123.125.29.99
ns4.sina.com.cn Internet address = 121.14.1.22

Set TYPE=PTR then enter IP reverse resolve domain name

Set Type=any Parse All types

Server 8.8.8.8 designated Domain name server (Google's)

A domain name corresponds to multiple aliases and IP addresses, smart DNS first selects the domestic nearest IP for return, so different DNS servers return different IP

You can also complete the configuration in one line: Resolve type, domain, IP of specified DNS server

Nslookup-q=any sina.com 114.114.114.114

to view the address of a native default DNS server

cat/etc/resolv.conf system will try from top to bottom

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.