X黑手网
专注新手网络技术与手机骇客是一个综合性技术性交流与资源分享社区
一机在手,天下我有,让学技术变得更简单!
文章用户版块帖子
请选择
开启精彩搜索

热门搜索

教程分享社工内网黑客nethunter入侵安卓手机手机渗透手机密码KALI Nethunternet hunter破晓smsbnet+hunterKALI+Nethunter284 usd to php
网址导航
X黑手网址导航
安全信息
推送新的安全知识,新闻
社区交流NEW
社区发言,求助,分享
安全搜索引擎GO
X黑手安全搜索引擎,所您所想
X黑手:新站全新上线啦。 请牢记我们的域名,其他平台将不做维护!谢谢支持!
更优雅的X黑手网站:网络技术主题!全面开启

andrax DIG工具使用教程 – 全面解析DNS信息收集

admin等级-LV6-X黑手网3天前更新
90

前言

📌 什么是DIG工具?

DIG (Domain Information Groper) 是一个功能强大的 DNS查询工具,内置于Andrax渗透测试平台中。它允许安全研究人员、网络管理员和红队成员:

  • 查询DNS记录(A、MX、TXT等)

  • 检测DNS配置错误

  • 验证域名解析状态

  • 进行DNS枚举和信息收集

dig -h
Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]
Where:  domain    is in the Domain Name System
        q-class  is one of (in,hs,ch,...) [default: in]
        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
                 (Use ixfr=version for type ixfr)
        q-opt    is one of:
                 -4                  (use IPv4 query transport only)
                 -6                  (use IPv6 query transport only)
                 -b address[#port]   (bind to source address/port)
                 -c class            (specify query class)
                 -f filename         (batch mode)
                 -k keyfile          (specify tsig key file)
                 -m                  (enable memory usage debugging)
                 -p port             (specify port number)
                 -q name             (specify query name)
                 -r                  (do not read ~/.digrc)
                 -t type             (specify query type)
                 -u                  (display times in usec instead of msec)
                 -x dot-notation     (shortcut for reverse lookups)
                 -y [hmac:]name:key  (specify named base64 tsig key)
        d-opt    is of the form +keyword[=value], where keyword is:
                 +[no]aaflag         (Set AA flag in query (+[no]aaflag))
                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))
                 +[no]additional     (Control display of additional section)
                 +[no]adflag         (Set AD flag in query (default on))
                 +[no]all            (Set or clear all display flags)
                 +[no]answer         (Control display of answer section)
                 +[no]authority      (Control display of authority section)
                 +[no]badcookie      (Retry BADCOOKIE responses)
                 +[no]besteffort     (Try to parse even illegal messages)
                 +bufsize[=###]      (Set EDNS0 Max UDP packet size)
                 +[no]cdflag         (Set checking disabled flag in query)
                 +[no]class          (Control display of class in records)
                 +[no]cmd            (Control display of command line -
                                      global option)
                 +[no]comments       (Control display of packet header
                                      and section name comments)
                 +[no]cookie         (Add a COOKIE option to the request)
                 +[no]crypto         (Control display of cryptographic
                                      fields in records)
                 +[no]defname        (Use search list (+[no]search))
                 +[no]dns64prefix    (Get the DNS64 prefixes from ipv4only.arpa)
                 +[no]dnssec         (Request DNSSEC records)
                 +domain=###         (Set default domainname)
                 +[no]edns[=###]     (Set EDNS version) [0]
                 +ednsflags=###      (Set EDNS flag bits)
                 +[no]ednsnegotiation (Set EDNS version negotiation)
                 +ednsopt=###[:value] (Send specified EDNS option)
                 +noednsopt          (Clear list of +ednsopt options)
                 +[no]expandaaaa     (Expand AAAA records)
                 +[no]expire         (Request time to expire)
                 +[no]fail           (Don't try next server on SERVFAIL)
                 +[no]header-only    (Send query without a question section)
                 +[no]https[=###]    (DNS-over-HTTPS mode) [/]
                 +[no]https-get      (Use GET instead of default POST method while using HTTPS)
                 +[no]http-plain[=###]    (DNS over plain HTTP mode) [/]
                 +[no]http-plain-get      (Use GET instead of default POST method while using plain HTTP)
                 +[no]identify       (ID responders in short answers)
                 +[no]idnin          (Parse IDN names [default=on on tty])
                 +[no]idnout         (Convert IDN response [default=on on tty])
                 +[no]ignore         (Don't revert to TCP for TC responses.)
                 +[no]keepalive      (Request EDNS TCP keepalive)
                 +[no]keepopen       (Keep the TCP socket open between queries)
                 +[no]multiline      (Print records in an expanded format)
                 +ndots=###          (Set search NDOTS value)
                 +[no]nsid           (Request Name Server ID)
                 +[no]nssearch       (Search all authoritative nameservers)
                 +[no]onesoa         (AXFR prints only one soa record)
                 +[no]opcode=###     (Set the opcode of the request)
                 +padding=###        (Set padding block size [0])
                 +qid=###            (Specify the query ID to use when sending queries)
                 +[no]qr             (Print question before sending)
                 +[no]question       (Control display of question section)
                 +[no]raflag         (Set RA flag in query (+[no]raflag))
                 +[no]rdflag         (Recursive mode (+[no]recurse))
                 +[no]recurse        (Recursive mode (+[no]rdflag))
                 +retry=###          (Set number of UDP retries) [2]
                 +[no]rrcomments     (Control display of per-record comments)
                 +[no]search         (Set whether to use searchlist)
                 +[no]short          (Display nothing except short
                                      form of answers - global option)
                 +[no]showbadcookie  (Show BADCOOKIE message)
                 +[no]showsearch     (Search with intermediate results)
                 +[no]split=##       (Split hex/base64 fields into chunks)
                 +[no]stats          (Control display of statistics)
                 +subnet=addr        (Set edns-client-subnet option)
                 +[no]tcflag         (Set TC flag in query (+[no]tcflag))
                 +[no]tcp            (TCP mode (+[no]vc))
                 +timeout=###        (Set query timeout) [5]
                 +[no]tls            (DNS-over-TLS mode)
                 +[no]tls-ca[=file]  (Enable remote server's TLS certificate validation)
                 +[no]tls-hostname=hostname (Explicitly set the expected TLS hostname)
                 +[no]tls-certfile=file (Load client TLS certificate chain from file)
                 +[no]tls-keyfile=file (Load client TLS private key from file)
                 +[no]trace          (Trace delegation down from root [+dnssec])
                 +tries=###          (Set number of UDP attempts) [3]
                 +[no]ttlid          (Control display of ttls in records)
                 +[no]ttlunits       (Display TTLs in human-readable units)
                 +[no]unknownformat  (Print RDATA in RFC 3597 "unknown" format)
                 +[no]vc             (TCP mode (+[no]tcp))
                 +[no]yaml           (Present the results as YAML)
                 +[no]zflag          (Set Z flag in query)
        global d-opts and servers (before host name) affect all queries.
        local d-opts and servers (after host name) affect only that lookup.
        -h                           (print help and exit)
        -v                           (print version and exit)
╭─andrax@ANDRAX-Hackers-Platform ~ [21:42:11]
╰─➤

核心功能与实战示例

1. 查询A记录(IPv4地址)

2. 查询MX记录(邮件服务器) 

dig example.com MX

3. 查询TXT记录(验证信息/SPF/DKIM)

dig example.com TXT

4. 查询NS记录(域名服务器)

dig example.com NS

5. 查询所有记录类型

dig example.com ANY

6. 指定DNS服务器查询

dig @8.8.8.8 example.com  # 使用Google DNS

7. 反向DNS查询(IP转域名)

dig -x 8.8.8.8

8. 显示简短结果(仅答案部分)

dig +short example.com

9. 跟踪DNS解析过程(排查问题)

dig +trace example.com

🛠️ 高级用法

1. 批量查询域名

for domain in $(cat domains.txt); do dig $domain +short; done

2. 检测DNS域传送漏洞

dig @ns1.example.com example.com AXFR

3. 查询DNSSEC记录

dig example.com DS +dnssec

4. 测量DNS响应时间

dig example.com | grep "Query time"

5. 使用TCP协议查询(绕过UDP限制)

dig +tcp example.com

📊 输出解析

DIG命令的典型输出包含以下关键部分:

  • QUESTION SECTION:查询的问题

  • ANSWER SECTION:返回的答案

  • AUTHORITY SECTION:权威DNS服务器信息

  • ADDITIONAL SECTION:额外信息

  • Query time:查询耗时

  • SERVER:使用的DNS服务器

🔍 实战应用场景

1. 渗透测试中的信息收集

dig +short google.com A  # 获取IP地址
dig +short google.com MX | cut -d' ' -f2  # 提取邮件服务器

2. 排查DNS解析问题

dig +trace example.com  # 查看完整解析路径

3. 检测子域名接管漏洞

dig CNAME suspicious-subdomain.example.com

4. 验证CDN配置

dig +short www.cloudflare.com A

💡 使用技巧

  1. 组合使用工具

    dig +short example.com | xargs -I{} whois {}

  2. 保存查询结果

     
    dig example.com > dns_results.txt

  3. 使用彩色输出
    安装 ccze 工具:

     
    dig example.com | ccze -A

⚠️ 注意事项

  • 避免高频查询同一DNS服务器,可能触发速率限制

  • 部分记录(如AXFR)需要权限才能查询

  • 企业内网DNS可能需要认证

📚 扩展学习

  • 官方文档man dig

  • DNS协议:RFC 1034/1035

  • 安全相关:DNS劫持、缓存投毒攻击

通过掌握DIG工具,你可以高效完成DNS相关的信息收集和故障排查任务。在Andrax平台中,它常与其他工具(如nslookup、whois)配合使用,形成完整的工作流。

评分
欢迎为Ta评分
赞赏
分享
请登录后发表评论

    没有回复内容

分享
ANDRAX-X黑手网

ANDRAX

ANDRAX 是一个专为 Android 智能手机和 ARM 设备设计的渗透测试平台,它能够在 Android 上本地运行linux行为
发布
帖子
8
互动
13
阅读
248

分类

AI助手 AI 助手