open DNS resolver check

Finding DNS name servers that are accessible from the Internet by litarly anyone happely providing information about your internal servers/networks can be a great chevat for an attacker.

So try to spot these things bevore an attacker does....

Scanning your external IP ranges for DNS servers. Needless to mention that this script must be called from a machine that is completly anonymous to the targets.

sudo nmap -sU -p 53 -vv -oG dns_found -iL pub_ip_ranges_20150730.txt

This will read each target network from pub_ip_ranges_20150730.txt, check if port UDP:53 is open there and add the output to the file dns_found.

Check the found DNS server for revealing internal information to the outside world

After a while (approx. 1h) the dns_found file will be ready for our next step.

Firing the below command checks the dns_found for open DNS ports and tries to catch information about our [your internal domain name]domain.

for i in `cat dns_found | grep 53/open/udp | cut -f2 -d' '`; do echo -n "$i "; echo -n `host [your internal domain name] $i | grep "has address"`; echo ""; done | grep "[your internal domain name]" | cut -f1 -d' '

No need to mention that this test should NOT have any result. If so, please double-check the reported IP with below command.

host [your internal domain name] (ip reported from above)

If you see internal machines with [your internal domain name] names and IP's running over you screen, get in touch with the owner of the IP and tell him to STOP THIS RIGHT NOW.

As this is a security incident, you MUST create a PIR.