Authoritative DNS TXT disclosure for a gated domain query
Foundations network engagement: host answered DNS only for givemetheflag.com; dig/nslookup against the target returned a TXT record containing the secret.
- Case files
- Authoritative DNS TXT disclosure for a gated domain query
Nmap showed SSH only; querying the host as a resolver for givemetheflag.com returned an authoritative TXT with the engagement artifact.
dig/nslookup for givemetheflag.com @host returned the TXT secret.
Engagement summary
Nmap showed SSH only; querying the host as a resolver for givemetheflag.com returned an authoritative TXT with the engagement artifact.
DIG DUG presented as a DNS server that ignored generic probes. TCP scan listed OpenSSH on 22; UDP/53 did not advertise usefully via default nmap. Per engagement scope, dig givemetheflag.com @TARGET returned aa NOERROR with a TXT answer carrying the secret. nslookup against the same server confirmed the record.
Business impact
DNS is a data channel. Secrets in TXT/zone data are world-readable to anyone who can query the resolver. Keep flags and credentials out of DNS; restrict recursion and zone transfers; monitor anomalous queries for canary domains.
Targeted dig against the host resolver
dig/nslookup for givemetheflag.com @host returned the TXT secret.
OPERATOR · DNS
savvy@lab:~$ nmap -sV 10.49.173.146
22/tcp open ssh OpenSSH 8.2p1
savvy@lab:~$ dig givemetheflag.com @10.49.173.146
givemetheflag.com. 0 IN TXT "flag{0767ccd06e79853318f25aeb08ff83e2}"
savvy@lab:~$ nslookup givemetheflag.com 10.49.173.146
text = flag{0767ccd06e79853318f25aeb08ff83e2}
Remediation
Do not store secrets in DNS. Split public/private zones; disable open recursion; alert on queries for internal canary names from untrusted networks.