dns-enum

DNS Enum

whois example.com
----
nslookup example.com
nslookup -type=any example.com
----
dig example.com
dig NS example.com
dig MX example.com
dig TXT example.com
dig any example.com
dig -t A example.com
----
fierce -dns example.com
fierce -dns example.com -dnsserver 8.8.8.8
----
host -t A example.com
for sub in $(cat wordlist.txt); do host -t A $sub.example.com; done
----
bluto -t example.com
----
massdns -r resolver.txt -t A -o S -w output.txt wordlist.txt

ZONE Transfer

dig AXFR @ns1.example.com example.com
host -l example.com ns1.example.com
dnsrecon -d example.com -t axfr

Reverse DNS Lookup

dig x [ip]
host [ip]
for ip in $(cat ips.tx); do host $ip; done

Subdomain Enumeration

subfinder -d example.com
sublist3r -d example.com
amass enum -active -d example.com
assetfinder --subs-only example.com
curl https://crt.sh/?q=%.example.com
findomain -t example.com -u found.txt
theHarvester -d example.com -b all
dnsenum example.com
dnsrecon -d example.com -a 

Notes

• DNS ( Domain Name System) Enum is the critical step during Information Gathering.

• It is used to gather domain related information like subdomain, IP Addresses, mail servers, name servers.

• DNS Enumeration is the process of locating all DNS record associated with the domain.

• The Record can be reveled.

  • subdomains (e.g. dev.example.com)

  • IP Addresses (A, AAA)

  • Mail Server (MX)

  • Name Server (NS)

  • TXT Record (TXT) like SPF, DKIM

  • CNAME (aliases)

  • Zone Transfer (AXFR)