Enumeration – DNS

Dig

dig -t mx <domain> can be used to grab the mail exchange records associated to the domain.

dig -t ns <domain> can be used to query name servers associated to the domain.

dig -t cname <domain> can be used to query for aliases for other host records.

dig -t txt <domain> can be used to enumerate text records, this could contain pretty much any information.

DNS Zone transfer with Dig.

A DNS zone transfer in a nut shell dumps the zone files from a master server to a slave server, these zone files contain the DNS names configured for that zone.
We can achieve this with dig by usig the command – dig axfr @<dns server> <domain>

Host

Host can be used similarly to dig.

-t cname queries aliases.

-t a queries the related IP address.

-t ptr queries pointer records, these are used to find IP addresses associated to a record in a reverse lookup.

-t txt to query text records.

-t mx queries mail exchange servers.

-t ns queries name servers.

We can perform a zone transfer using the command host -l <domain> <name server>

Bruteforcing DNS lookups.

We can bruteforce DNS lookups using bash. Querying a domain that doesn’t exist using host provides an output containing the string “not found”.

We can use this combined with a wordlist (I used seclists DNS/namelist.txt) and a bash one liner to bruteforce endpoints.
The bash one liner could look like this:
for i in $(cat wordlist); do host $i.<domain>; done | grep -v “not found”
Obviously different wordlists will provide different milage.