DNS Enum

Search…
DNS Enum
Main commands used here for DNS enum. 
host
dig
nslookup
dnsrecon
NSlookup
nslookup 
> server 10.10.10.10
Default server: 10.10.10.10
Address: 10.10.10.10#53
​
> 10.10.10.10
10.10.10.10.in-addr.arpa	name = ns1.domain.com.
host -t ns somedomain.com		# -t: type, nameservers records 
host -t mx somedomain.com		# mail records
host www.somedomain.com			# Will display the IP of the domain
host idontexist.somedomain.com 	# If exists it will display further information
Zone Transfer
host -t ns somedomain.com					# Find the nameservers of the domain
host -l somedomain.com ns1.somedomain.com.	# attempt zone transfer based on the nameservers found. (e.g. ns1, ns2, ns3, ... )
############### Example Script for Zone Transfer ###############
################################################################
​
#!/bin/bash
​
# Zone Transfer script
######################
​
echo "[*] Simple Zone transfer script"
if [ -z "$1" ]; then
        echo "This script accepts an argument. Please re-run it and give an argument."
        exit 0
fi
​
for server in $(host -t ns $1 |cut -d" " -f4);
do
        host -l $1 $server | grep "has address"
done
​
Tools: DNSrecon/DNSenum
dnsrecon -d somedomain.com -t axfr	    # Attempt a Zone Transfer on a domain 
Dig Zone Transfer
dig axfr @10.10.10.10 domainame
Tools List
sublist3r
enumall
massdns
altdns
brutesubs
dns-parallel-prober
dnscan
knockpy
tko-subs
HostileSubBruteforce
WFUZZing
----DNS fuzzing----
wfuzz -c -f sub-fighter -w subdomains.txt -u "http://maindomain.com" -H "Host: FUZZ.maindomain.com" -t 42 --hl 1
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u "http://maindomain.com/" -H "Host: FUZZ.maindomain.com" -t 42 --hh 62
IDLE SCAN
SMB Enum
Last modified 1yr ago
Copy link
Outline
Main commands used here for DNS enum.