Locate Domain Controllers (DCs)
- Clients don’t know which DC to talk to initially. They ask DNS to find an SRV record for the domain controller.
Locate Network Services
- AD registers services (like LDAP, Kerberos, file servers) in DNS as SRV records.
Example:
_ldap._tcp.dc._msdcs.company.local
_ldap= protocol_tcp= transportdc= domain controllercompany.local= domain
Internal Network Namespace
- Private networks often use internal domains like
company.localorcorp.example.comAD clients query this internal DNS, not external internet DNS.
Ports
UDP 53: Default for normal DNS queries (hostname to IP, SRV lookups for DC and services)
TCP 53: Used when:
- DNS responses are > 512 bytes
- Zone transfers between DNS servers (AXFR/IXFR) for replication
Forward DNS Lookup
Converts a domain name to IP address. Example:
PS C:\htb> nslookup INLANEFREIGHT.LOCAL
Server: 172.16.6.5
Address: 172.16.6.5
Name: INLANEFREIGHT.LOCAL
Address: 172.16.6.5
Used by clients to locate Domain Controllers for authentication and Kerberos ticket requests
Reverse DNS Lookup
Converts an IP address to hostname. Example:
PS C:\htb> nslookup 172.16.6.5
Server: 172.16.6.5
Address: 172.16.6.5
Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Address: 172.16.6.5
Finding IP of a Host
You can look up the IP of a specific host with or without specifying the FQDN:
PS C:\htb> nslookup ACADEMY-EA-DC01
Server: 172.16.6.5
Address: 172.16.6.5
Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Address: 172.16.6.5