General Enumeration

dnsenum <domain>
dnscan.py -d <domain> -w <subdomain-wordlist>
 
host <domain>
host -t <record-type> <domain>
whois <domain>
dig <domain>

Find all DNS servers

host -t ns <domain>

Find other DNS records for domain

host -t <record type> <domain>

Forward Lookup Brute Force

(Domain name to IP)

for subdomain in $(cat /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt); do host -t A $subdomain.$domain; done | grep -v 'not found'

Reverse Lookup Brute Force

(IP address to domain name)

for host in {1..254}; do host 38.12.48.$host; done | grep -v 'not found'

Brute Force Hosts & Subdomain

dnsrecon -d <domain> -D <wordlist> -t brt

DNS Zone Transfer (single server)

host -l <domain> <dns-server>

DNS Zone Transfer (all NS)

dnsrecon -d <domain> -t axfr