Case file

Authoritative DNS TXT disclosure for a gated domain query

Foundations network engagement: host answered DNS only for givemetheflag.com; dig/nslookup against the target returned a TXT record containing the secret.

Foundations12 minDNS · Network Enumeration · Information Disclosure
01

Engagement summary

Nmap showed SSH only; querying the host as a resolver for givemetheflag.com returned an authoritative TXT with the engagement artifact.

DIG DUG presented as a DNS server that ignored generic probes. TCP scan listed OpenSSH on 22; UDP/53 did not advertise usefully via default nmap. Per engagement scope, dig givemetheflag.com @TARGET returned aa NOERROR with a TXT answer carrying the secret. nslookup against the same server confirmed the record.

Business impact

DNS is a data channel. Secrets in TXT/zone data are world-readable to anyone who can query the resolver. Keep flags and credentials out of DNS; restrict recursion and zone transfers; monitor anomalous queries for canary domains.

02

Targeted dig against the host resolver

dig/nslookup for givemetheflag.com @host returned the TXT secret.

OPERATOR · DNS

savvy@lab:~$ nmap -sV 10.49.173.146

22/tcp open ssh OpenSSH 8.2p1

savvy@lab:~$ dig givemetheflag.com @10.49.173.146

givemetheflag.com. 0 IN TXT "flag{0767ccd06e79853318f25aeb08ff83e2}"

savvy@lab:~$ nslookup givemetheflag.com 10.49.173.146

text = flag{0767ccd06e79853318f25aeb08ff83e2}

Remediation

Do not store secrets in DNS. Split public/private zones; disable open recursion; alert on queries for internal canary names from untrusted networks.