DNS Enumeration

DNS enumeration involves gathering information about a domain's DNS records to map out its structure. Tools like dig, nslookup, or dnsenum can be used to discover subdomains, mail servers, and other DNS entries.

DNS Entries

Entry
Description

NS

Nameserver record - contains the name of the authoritative servers hosting the DNS records for a domain.

A

A record - contains the IPv4 address of a hostname.

AAAA

Quad A record - contains the IPv6 of a hostname.

MX

Mail Exchange record - contains the name of the email management servers.

PTR

Pointer record - contains the zones for reverse search using IP address.

CNAME

Canonical Name record - contains aliases for other A records.

TXT

Text record - contains any aribary data.

Enumeration

Retrieve records using host: 

host -t <record_type> <domain_name>

Retrieve DNS records using nslookup (useful for live of the land in Windows):

nslookup -type=<record_type> <Domain_name> <ns_server>

Subdomain brute force:

for ip in $(cat <wordlist>); do host $ip.<domain_name>; done | grep -v "not found"

Brute forcing records

dnsrecon -d <domain_name> -D <wordlist> -t brt

Useful scans to automate the process:

dnsrecon -d megacorpone.com -t std
dnsenum <domain_name>

References

LogoGitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub
dnsrecon
LogoGitHub - SparrowOchon/dnsenum2: dnsenum is a perl script that enumerates DNS information. Officially mainlined in Kali LinuxGitHub
dnsenum
PreviousActive ReconnaissanceNextHost Discovery

Last updated