General Enumeration
dnsenum <domain>
dnscan.py -d <domain> -w <subdomain-wordlist>
host <domain>
host -t <record-type> <domain>
whois <domain>
dig <domain>Find all DNS servers
host -t ns <domain>Find other DNS records for domain
host -t <record type> <domain>Forward Lookup Brute Force
(Domain name to IP)
for subdomain in $(cat /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt); do host -t A $subdomain.$domain; done | grep -v 'not found'Reverse Lookup Brute Force
(IP address to domain name)
for host in {1..254}; do host 38.12.48.$host; done | grep -v 'not found'Brute Force Hosts & Subdomain
dnsrecon -d <domain> -D <wordlist> -t brtDNS Zone Transfer (single server)
host -l <domain> <dns-server>DNS Zone Transfer (all NS)
dnsrecon -d <domain> -t axfr