DNS Enumeration
Basic DNS Queries
Dig
# Basic query
dig target.com
# Specific record type
dig target.com A
dig target.com MX
dig target.com NS
dig target.com TXT
# Reverse lookup
dig -x 192.168.1.1
# Query specific nameserver
dig @8.8.8.8 target.com
# Zone transfer attempt
dig axfr @ns1.target.com target.com
Nslookup
# Basic lookup
nslookup target.com
# Specific record
nslookup -type=MX target.com
nslookup -type=NS target.com
# Reverse lookup
nslookup 192.168.1.1
Host
# Basic lookup
host target.com
# All records
host -a target.com
# Specific record
host -t MX target.com
Subdomain Enumeration
Sublist3r
# Basic enumeration
sublist3r -d target.com
# With brute force
sublist3r -d target.com -b
# Save to file
sublist3r -d target.com -o output.txt
Amass
# Passive enumeration
amass enum -passive -d target.com
# Active enumeration
amass enum -d target.com
# With brute force
amass enum -brute -d target.com
DNSRecon
# Standard enumeration
dnsrecon -d target.com
# Zone transfer
dnsrecon -d target.com -t axfr
# Brute force
dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt
DNS Zone Transfer
# Using dig
dig axfr @ns1.target.com target.com
# Using host
host -l target.com ns1.target.com
# Using nmap
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=target.com -p 53 ns1.target.com
Useful Links