DNS enumeration

DNS enumeration is for finding more information about all DNS components in a target. It is useful for identifying usernames, DNS record names, DNS domain names, and IP addresses of a target, increasing the attack surface of a target.


DNSenum is perl script identifying DNS information of target.

# dnsenum --noreverse <domain>


dnsrecon is a Python script that provides the ability to:

  • Check all NS Records for Zone Transfers.

  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).

  • Perform common SRV Record Enumeration.

  • Top Level Domain (TLD) Expansion.

  • Check for Wildcard Resolution.

  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist.

  • Perform a PTR Record lookup for a given IP Range or CIDR.

  • Check a DNS Server Cached records for A, AAAA and CNAME

  • Records provided a list of host records in a text file to check.

  • Enumerate Hosts and Subdomains using Google.


nslookup is a command line utility useful for identifying DNS infrastructure.

# nslookup 
> set type=any 
> ls -d <domain>

It uses the default DNS server to get the A and AAAA records related to a domain. For example:

nslookup clinic.thmredteam.com
set type=MX

Then use nslookup again to resolve the FQDNs of the mail servers to IP adressess.


Non-authoritative answer:
Name:	clinic.thmredteam.com
Name:	clinic.thmredteam.com
Name:	clinic.thmredteam.com
Address: 2606:4700:3034::ac43:d4f9
Name:	clinic.thmredteam.com
Address: 2606:4700:3034::6815:5da9


Nmap is a port scanner used to identify open ports. Click Here for Nmap Cheatsheet

# nmap -sC -sV -p53 192.168.x.0/24


dig is a command line tool for querying DNS servers. Use dig to perform DNS profiling of the target organisation.

To determine the IP address of a system:

dig www.target.com +short

To determine the DNS servers:

dig target.com NS +short

To determine the email servers for the organisation:

dig target.com MX +short

digprovides a lot of query options and even allows specifying a different DNS server to use. For example, we can  use Cloudflare's DNS server with:dig @ tryhackme.com`.

# dig axfr <domain> @<ns-domain>


host is another useful alternative for querying DNS servers for DNS records.

# host <domain>

For example:

host clinic.thmredteam.com
clinic.thmredteam.com has address
clinic.thmredteam.com has address
clinic.thmredteam.com has IPv6 address 2606:4700:3034::ac43:d4f9
clinic.thmredteam.com has IPv6 address 2606:4700:3034::6815:5da9


Reconnaissance tool that quickly scans a target domain for DNS related vulnerabilities.

# fierce -dns <domain>


AltDNS is useful for identifying subdomains through alteration and permutation.

git clone https://github.com/infosec-au/altdns.git 
cd altdns 
pip install -r requirements.txt


DNSdumpster.com is a free domain research tool that can discover hosts related to a domain.