DNS enumeration

General Enumeration

dnsenum <domain>
dnscan.py -d <domain> -w <subdomain-wordlist>
 
host <domain>
host -t <record-type> <domain>
whois <domain>
dig <domain>

Find all DNS servers

host -t ns <domain>

Find other DNS records for domain

host -t <record type> <domain>

Forward Lookup Brute Force

(Domain name to IP)

for subdomain in $(cat /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt); do host -t A $subdomain.$domain; done | grep -v 'not found'

Reverse Lookup Brute Force

(IP address to domain name)

for host in {1..254}; do host 38.12.48.$host; done | grep -v 'not found'

Brute Force Hosts & Subdomain

dnsrecon -d <domain> -D <wordlist> -t brt

DNS Zone Transfer (single server)

host -l <domain> <dns-server>

DNS Zone Transfer (all NS)

dnsrecon -d <domain> -t axfr

📖 Notes

Recent Notes

heap exploitation

2024-06-05

2024-06-04

2024-06-03

2024-05-29

DNS enumeration

General Enumeration

Find all DNS servers

Find other DNS records for domain

Forward Lookup Brute Force

Reverse Lookup Brute Force

Brute Force Hosts & Subdomain

DNS Zone Transfer (single server)

DNS Zone Transfer (all NS)

Graph View

Table of Contents

Backlinks