DNS

Table of Contents

Auto

Tools to perform an automatic enumeration of domain.

DNSrecon

Discovers SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail:

dnsrecon -d <DOMAIN> -t std

Zone Transfer

Perform a AXFR query to transfer full zone configuration on misconfigured NS servers.

Linux Built-in
dig -t AXFR <DOMAIN NAME> @<NAMESERVER>
host -t axfr <DOMAIN NAME> <NAMESERVER>
DNSrecon
dnsrecon -d <DOMAIN> -t axfr

Certificate Transparency

Harvest subdomains from the certificate transparency logs.

CTFR
ctfr -d <DOMAIN> -o <OUTPUT>

Info

This tools query the https://crt.sh/ database.

Subdomain Enumeration

Perform a wordlist attack to discover subdomains:

DNSrecon
dnsrecon -d <DOMAIN> -D <WORDLIST> -t brt
Flag Output Format
--xml <FILE> XML
--csv <FILE> CSV
--json <FILE> JSON
GoBuster
gobuster dns -d [domain] -i -w [/path/to/subdomain/wordlist] -o [/path/to/output/logfile]
Option Description
-i Show IP addresses

Tip

GoBuster is much faster but displays less information.

Reverse Lookup

Perform a PTR query for every host of a subnet to discover host names.

Bash
for i in {1..254}; do host <CIDR (excl. last byte)>.$i | grep -v "not found"; done
DNSrecon
dnsrecon -r <FIRST-LAST / CIDR>
Flag Output Format
--xml <FILE> XML
--csv <FILE> CSV
--json <FILE> JSON
Recon-ng
recon-ng --no-check
set NAMESERVER <IP>
use recon/netblocks-hosts/reverse_resolve
set NAMESERVER <IP>
add netblocks <CIDR>
run
show hosts