DNS
Table of Contents
Auto
Tools to perform an automatic enumeration of domain.
DNSrecon
Discovers SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail:
dnsrecon -d <DOMAIN> -t std
Zone Transfer
Perform a AXFR query to transfer full zone configuration on misconfigured NS servers.
Linux Built-in
dig -t AXFR <DOMAIN NAME> @<NAMESERVER>
host -t axfr <DOMAIN NAME> <NAMESERVER>
DNSrecon
dnsrecon -d <DOMAIN> -t axfr
Certificate Transparency
Harvest subdomains from the certificate transparency logs.
CTFR
ctfr -d <DOMAIN> -o <OUTPUT>
Info
This tools query the https://crt.sh/ database.
Subdomain Enumeration
Perform a wordlist attack to discover subdomains:
github.com/danielmiessler/SecLists/Discovery/DNS/namelist.txtgithub.com/danielmiessler/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
DNSrecon
dnsrecon -d <DOMAIN> -D <WORDLIST> -t brt
| Flag | Output Format |
|---|---|
--xml <FILE> |
XML |
--csv <FILE> |
CSV |
--json <FILE> |
JSON |
GoBuster
gobuster dns -d [domain] -i -w [/path/to/subdomain/wordlist] -o [/path/to/output/logfile]
| Option | Description |
|---|---|
-i |
Show IP addresses |
Tip
GoBuster is much faster but displays less information.
Reverse Lookup
Perform a PTR query for every host of a subnet to discover host names.
Bash
for i in {1..254}; do host <CIDR (excl. last byte)>.$i | grep -v "not found"; done
DNSrecon
dnsrecon -r <FIRST-LAST / CIDR>
| Flag | Output Format |
|---|---|
--xml <FILE> |
XML |
--csv <FILE> |
CSV |
--json <FILE> |
JSON |
Recon-ng
recon-ng --no-check
set NAMESERVER <IP>
use recon/netblocks-hosts/reverse_resolve
set NAMESERVER <IP>
add netblocks <CIDR>
run
show hosts