As I continue down the path of trying to transition into InfoSec and continuing to study for my OSCP exam, I thought I’d take advantage of what I’m doing here to make this a study habit for myself. I thought about starting with a deep dive in and cover nc, but that seems to be really diving in the deep-end. Let’s start with host and see where this takes me.

Overview⌗

The host command is a simple DNS lookup utility. Similar to dig and nslookup, each of which I’ve used a few times, but have yet to untap their full potential. host is normally used to convert names to IP addresses and vice versa. It is maintained by the Internet Systems Consortium, originally released in 2000. Sadly, I couldn’t find the source code anywhere.

Usage⌗

The default execution prints a brief description of how it operates.

host
Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
            [-R number] [-m flag] hostname [server]
       -a is equivalent to -v -t ANY
       -c specifies query class for non-IN data
       -C compares SOA records on authoritative nameservers
       -d is equivalent to -v
       -i IP6.INT reverse lookups
       -l lists all hosts in a domain, using AXFR
       -m set memory debugging flag (trace|record|usage)
       -N changes the number of dots allowed before root lookup is done
       -r disables recursive processing
       -R specifies number of retries for UDP packets
       -s a SERVFAIL response should stop query
       -t specifies the query type
       -T enables TCP/IP mode
       -U enables UDP mode
       -v enables verbose output
       -V print version number and exit
       -w specifies to wait forever for a reply
       -W specifies how long to wait for a reply
       -4 use IPv4 query transport only
       -6 use IPv6 query transport only

I wont go over every flag here, but rather some basic examples that you can build off of.

Examples⌗

As the man page states, its commonly used to convert names to IP addresses. Let’s give that a go.

host drt.sh
drt.sh has address 167.99.103.200
drt.sh mail is handled by 20 mailsec.protonmail.ch.
drt.sh mail is handled by 10 mail.protonmail.ch.

Using drt.sh as an example, it returned the A record and the MX records. If we wanted only the MX records, we could use the -t flag to narrow it down. It can also be used to display records that are not shown by a default lookup. The NS records can be found using this option.

host -t mx drt.sh
drt.sh mail is handled by 10 mail.protonmail.ch.
drt.sh mail is handled by 20 mailsec.protonmail.ch.
host -t ns drt.sh
drt.sh name server ns3.digitalocean.com.
drt.sh name server ns1.digitalocean.com.
drt.sh name server ns2.digitalocean.com.

Let’s try a reverse lookup, the other part to this utility. To give an idea of what output can look like, here’s a few domains and their IP addresses that will be test against.

IP Address	Domain Name	Hostname
167.99.103.200	drt.sh
172.217.8.206	google.com
192.168.1.5	none (local server IP)	tanuki

This site results in a not found; the IP address used for google.com is…not…google.com (although the URL points to a 404 webpage owned by Google); and my local server seems to work just fine (๑•̀ㅂ•́)و

host 167.99.103.200
Host 200.103.99.167.in-addr.arpa. not found: 3(NXDOMAIN)
host 172.217.8.206
206.8.217.172.in-addr.arpa domain name pointer ord37s09-in-f14.1e100.net.
host 192.168.1.5
5.1.168.192.in-addr.arpa domain name pointer tanuki.

If you wanted to try and see a list of all the hosts in a domain, you can pass the -l option. The host command uses the AXFR protocol in attempts to get the information. I wont go into it here as that out of scope, but I recommend looking into zone transfers, why they’re so important, and how they can be abused.

host -l drt.sh ns3.digitalocean.com.
Using domain server:
Name: ns3.digitalocean.com.
Address: 198.41.222.173#53
Aliases:

Host drt.sh not found: 4(NOTIMP)
; Transfer failed.

No dice, 残念. Not surprising though as most domains will have this blocked, rendering the -l option not usable. For an example of what it can look like, I found a domain with a working example.

host -l zonetransfer.me nsztm1.digi.ninja.
Using domain server:
Name: nsztm1.digi.ninja.
Address: 81.4.108.41#53
Aliases:

zonetransfer.me has address 5.196.105.14
zonetransfer.me name server nsztm1.digi.ninja.
zonetransfer.me name server nsztm2.digi.ninja.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me.
asfdbbox.zonetransfer.me has address 127.0.0.1
canberra-office.zonetransfer.me has address 202.14.81.230
dc-office.zonetransfer.me has address 143.228.181.132
deadbeef.zonetransfer.me has IPv6 address dead:beaf::
email.zonetransfer.me has address 74.125.206.26
home.zonetransfer.me has address 127.0.0.1
internal.zonetransfer.me name server intns1.zonetransfer.me.
internal.zonetransfer.me name server intns2.zonetransfer.me.
intns1.zonetransfer.me has address 81.4.108.41
intns2.zonetransfer.me has address 167.88.42.94
office.zonetransfer.me has address 4.23.39.254
ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me has address 207.46.197.32
alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1
vpn.zonetransfer.me has address 174.36.59.154
www.zonetransfer.me has address 5.196.105.14

For the last example, we can have host return oodles of information. Returning data for an ANY query. To do this, pass in the -a option. It is equivalent to using -v -t ANY, but that’s a lot of keystrokes, eh?

host -a drt.sh
Trying "drt.sh"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7817
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 6

;; QUESTION SECTION:
;drt.sh.                                IN      ANY

;; ANSWER SECTION:
drt.sh.                 3600    IN      TXT     "v=spf1 include:_spf.protonmail.ch mx ~all"
drt.sh.                 3600    IN      TXT     "protonmail-verification=512fcc96d3a38984dd285faa82dcf62b7743db18"
drt.sh.                 14400   IN      MX      20 mailsec.protonmail.ch.
drt.sh.                 14400   IN      MX      10 mail.protonmail.ch.
drt.sh.                 1800    IN      SOA     ns1.digitalocean.com. hostmaster.drt.sh. 1575061248 10800 3600 604800 1800
drt.sh.                 3600    IN      A       167.99.103.200
drt.sh.                 1800    IN      NS      ns3.digitalocean.com.
drt.sh.                 1800    IN      NS      ns2.digitalocean.com.
drt.sh.                 1800    IN      NS      ns1.digitalocean.com.

;; ADDITIONAL SECTION:
ns1.digitalocean.com.   873     IN      A       173.245.58.51
ns2.digitalocean.com.   161926  IN      A       173.245.59.41
ns3.digitalocean.com.   81895   IN      A       198.41.222.173
ns1.digitalocean.com.   81895   IN      AAAA    2400:cb00:2049:1::adf5:3a33
ns2.digitalocean.com.   81895   IN      AAAA    2400:cb00:2049:1::adf5:3b29
ns3.digitalocean.com.   81895   IN      AAAA    2400:cb00:2049:1::c629:dead

Received 478 bytes from 10.211.55.1#53 in 191 ms

This is my first time really diving into the world of networking utilities. I apologize if there are some misconceptions or flat out wrong information out there. I will do my best to update this post as I dive deeper into networking tools. Keep an eye out as I stray a bit from the GNU coreutils and jump into some not-so-every-day-use utilities. Cheers!

References⌗

• [1] host(Unix) | Wikipedia
• [2] Interet Systems Consortium | ISC.org
• [3] What are DNS zone transfers (AXFR)? | acunetix
• [4] Podcat: Getting into Infosec
• [5] DNS Zone Transfer | Wikipedia
• [6] DNS Zone Transfers | Zero-Day
• [7] Deprecating the DNS ANY meta-query type | Cloudflare Blog