DNS Enumeration

dig - DNS Zone Transfers

Find nameservers

dig ns [domain]
dig ns [domain] @[dns-server]

Attempt zone transfer (AXFR)

dig axfr @[dns-server] [domain]
dig axfr @[nameserver] [domain]

Example:

dig axfr @10.10.10.13 megacorpone.com

Query specific record types

dig @[dns-server] [domain] ANY
dig @[dns-server] [domain] A
dig @[dns-server] [domain] AAAA
dig @[dns-server] [domain] MX
dig @[dns-server] [domain] TXT
dig @[dns-server] [domain] SOA
dig @[dns-server] [domain] CNAME
dig @[dns-server] [domain] NS
dig @[dns-server] [domain] PTR

Reverse DNS lookup

dig -x [ip-address] @[dns-server]

Short output (just the answer)

dig +short [domain]
dig +short @[dns-server] [domain]

Trace DNS path

dig +trace [domain]

Verbose output

dig +trace +additional [domain]

dnsenum

Basic enumeration with wordlist

dnsenum --dnsserver [target ip] --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt [TLD domain]

Attempt zone transfer

dnsenum --enum [domain]

Full enumeration

dnsenum [domain]

dnsrecon

Basic reconnaissance

dnsrecon -d [domain]

Reverse DNS lookup for range

dnsrecon -r [range] -n [dns host ip] -d [domain]

Range should be the network, so something like 127.0.0.0/24 when on the same network
-d is not really useful here but it's a required flag - can fill with garbage

Attempt zone transfer

dnsrecon -d [domain] -t axfr

Zone transfer against all NS records

dnsrecon -d [domain] -a

Bruteforce subdomains

dnsrecon -d [domain] -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt

Standard record enumeration

dnsrecon -d [domain] -t std

Google enumeration

dnsrecon -d [domain] -t goo

host

Simple lookup

host [domain]
host [domain] [dns-server]

Specific record type

host -t ns [domain]
host -t mx [domain]
host -t txt [domain]

Zone transfer attempt

host -l [domain] [dns-server]

nslookup

Interactive mode

nslookup
> server [dns-server]
> set type=any
> [domain]

Command line

nslookup [domain]
nslookup [domain] [dns-server]

Zone transfer

nslookup
> server [dns-server]
> set type=any
> ls -d [domain]

fierce

Basic domain scan

fierce --domain [domain]

With DNS server

fierce --domain [domain] --dns-servers [dns-server]

Subdomain bruteforce

fierce --domain [domain] --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Zone Transfer Attack Workflow

Identify DNS servers:

dig ns [domain]
nslookup -type=ns [domain]
host -t ns [domain]

Attempt zone transfer on each nameserver:

dig axfr @[nameserver1] [domain]
dig axfr @[nameserver2] [domain]

If successful, save output:

dig axfr @[nameserver] [domain] > zone_transfer.txt

Parse results for hosts/IPs:

cat zone_transfer.txt | grep -E "^[a-zA-Z0-9]" | awk '{print $1}' | sort -u

Subdomain Enumeration

Using dig with wordlist

for sub in $(cat subdomains.txt); do dig +short $sub.[domain]; done

Using host with wordlist

for sub in $(cat subdomains.txt); do host $sub.[domain]; done | grep "has address"

DNS Cache Snooping

dig @[dns-server] [domain] +norecurse

Common DNS Record Types

Record Type

Description

IPv4 address

AAAA

IPv6 address

CNAME

Canonical name (alias)

Mail exchange servers

Nameservers

TXT

Text records (often SPF, DKIM, etc.)

SOA

Start of authority

PTR

Pointer for reverse DNS

SRV

Service records

CAA

Certificate authority authorization

Tips

Always try zone transfers first - it's the easiest way to get complete DNS data
If zone transfer fails, use subdomain bruteforcing
Check multiple nameservers - misconfiguration might exist on one but not others
Look for interesting TXT records (might contain sensitive info)
Check for wildcard DNS entries
Verify reverse DNS for discovered IPs

PreviousTools NextShells

Last updated 1 month ago

hashtagdig - DNS Zone Transfers

hashtagFind nameservers

hashtagAttempt zone transfer (AXFR)

hashtagQuery specific record types

hashtagReverse DNS lookup

hashtagShort output (just the answer)

hashtagTrace DNS path

hashtagVerbose output

hashtagdnsenum

hashtagBasic enumeration with wordlist

hashtagAttempt zone transfer

hashtagFull enumeration

hashtagdnsrecon

hashtagBasic reconnaissance

hashtagReverse DNS lookup for range

hashtagAttempt zone transfer

hashtagZone transfer against all NS records

hashtagBruteforce subdomains

hashtagStandard record enumeration

hashtagGoogle enumeration

hashtaghost

hashtagSimple lookup

hashtagSpecific record type

hashtagZone transfer attempt

hashtagnslookup

hashtagInteractive mode

hashtagCommand line

hashtagZone transfer

hashtagfierce

hashtagBasic domain scan

hashtagWith DNS server

hashtagSubdomain bruteforce

hashtagZone Transfer Attack Workflow

hashtagSubdomain Enumeration

hashtagUsing dig with wordlist

hashtagUsing host with wordlist

hashtagDNS Cache Snooping

hashtagCommon DNS Record Types

hashtagTips

dig - DNS Zone Transfers

Find nameservers

Attempt zone transfer (AXFR)

Query specific record types

Reverse DNS lookup

Short output (just the answer)

Trace DNS path

Verbose output

dnsenum

Basic enumeration with wordlist

Attempt zone transfer

Full enumeration

dnsrecon

Basic reconnaissance

Reverse DNS lookup for range

Attempt zone transfer

Zone transfer against all NS records

Bruteforce subdomains

Standard record enumeration

Google enumeration

host

Simple lookup

Specific record type

Zone transfer attempt

nslookup

Interactive mode

Command line

Zone transfer

fierce

Basic domain scan

With DNS server

Subdomain bruteforce

Zone Transfer Attack Workflow

Subdomain Enumeration

Using dig with wordlist

Using host with wordlist

DNS Cache Snooping

Common DNS Record Types

Tips