DNS Enumeration & Attacks

intermediate30 minWriteup

Extracting information from DNS services

Learning Objectives

  • Perform DNS zone transfers
  • Enumerate DNS records
  • Discover subdomains
  • Exploit DNS misconfigurations

DNS (Domain Name System) is the phonebook of the internet. When you type "google.com", DNS translates it to an IP address your computer can use. But DNS is also incredibly chatty - it stores all sorts of useful information that attackers love to harvest.

DNS runs on port 53, using both UDP (queries) and TCP (zone transfers, large responses). Every organization with a web presence has DNS records, and misconfigured DNS can expose the entire internal network structure.

DNS is Hierarchical

DNS works like a tree: root servers → TLD servers (.com, .org) → authoritative servers (example.com). Understanding this helps you know where to query.

DNS Record Types

RecordPurposeValue for Pentest
AIPv4 addressTarget IP addresses
AAAAIPv6 addressOften overlooked IPv6
MXMail serversEmail infrastructure
NSName serversDNS infrastructure
TXTText dataSPF, DKIM, verification tokens
CNAMEAliasSubdomains, CDN info
SOAZone authorityAdmin email, serial numbers
PTRReverse lookupIP to hostname mapping
SRVService locationAD, LDAP, Kerberos servers

Basic DNS Queries

bash
1606070;"># Using dig (preferred)
2dig example.com                606070;"># A records
3dig example.com MX             606070;"># Mail servers
4dig example.com TXT            606070;"># Text records
5dig example.com NS             606070;"># Name servers
6dig example.com ANY            606070;"># All records (often blocked)
7 
8606070;"># Short output
9dig +short example.com
10 
11606070;"># Specify DNS server
12dig @8.8.8.8 example.com
13 
14606070;"># Using nslookup
15nslookup example.com
16nslookup -type=MX example.com
17nslookup -type=TXT example.com
18 
19606070;"># Using host
20host example.com
21host -t MX example.com
22host -t TXT example.com

Use Multiple DNS Servers

Query different DNS servers (Google 8.8.8.8, Cloudflare 1.1.1.1, target's NS) - they might have different cached or authoritative records.

Zone Transfers (AXFR)

Zone transfers are designed to replicate DNS data between servers. If misconfigured, anyone can request a copy of the entire zone - revealing every subdomain, IP, and record.

bash
1606070;"># Attempt zone transfer with dig
2dig axfr @ns1.example.com example.com
3 
4606070;"># Using host
5host -t axfr example.com ns1.example.com
6 
7606070;"># Using nslookup
8nslookup
9> server ns1.example.com
10> set type=any
11> ls -d example.com
12 
13606070;"># Automated with dnsrecon
14dnsrecon -d example.com -t axfr
15 
16606070;"># Nmap script
17nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=example.com ns1.example.com

Zone Transfers Are Rare Now

Modern DNS servers usually block zone transfers to unauthorized IPs. But always check - you'd be surprised how often it works, especially on internal DNS servers.

Subdomain Enumeration

DNS Brute Forcing

bash
1606070;"># Using gobuster
2gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
3 
4606070;"># Using dnsrecon
5dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt
6 
7606070;"># Using fierce
8fierce --domain example.com
9 
10606070;"># Using dnsenum
11dnsenum example.com
12 
13606070;"># Using amass (most comprehensive)
14amass enum -d example.com
15 
16606070;"># Using aiodnsbrute (async, very fast)
17aiodnsbrute -w wordlist.txt -t 1000 example.com

Good Wordlists

  • SecLists/Discovery/DNS/subdomains-top1million-*.txt
  • SecLists/Discovery/DNS/dns-Jhaddix.txt
  • SecLists/Discovery/DNS/namelist.txt
  • Custom wordlists based on target (company name, products)

Build Custom Wordlists

Use CeWL to scrape the target's website and create wordlists from their content. Product names, employee names, and terms they use make great subdomain candidates.

Reverse DNS Lookups

PTR records map IP addresses back to hostnames. Sweeping IP ranges can reveal internal naming conventions and hidden subdomains.

bash
1606070;"># Single reverse lookup
2dig -x 192.168.1.10 +short
3host 192.168.1.10
4nslookup 192.168.1.10
5 
6606070;"># Sweep a range with dnsrecon
7dnsrecon -r 192.168.1.0/24
8 
9606070;"># Using fierce
10fierce --dns-servers 192.168.1.1 --range 192.168.1.0/24
11 
12606070;"># Manual sweep
13for ip in $(seq 1 254); do
14  host 192.168.1.$ip 2>/dev/null | grep 606070;">#a5d6ff;">"domain name pointer"
15done

DNS Cache Snooping

Query a DNS server's cache to see what domains have been recently resolved - reveals what sites users are visiting.

bash
1606070;"># Non-recursive query (check cache only)
2dig @192.168.1.1 example.com +norecurse
3 
4606070;"># Nmap script
5nmap -p 53 --script dns-cache-snoop.nse --script-args dns-cache-snoop.mode=timed,dns-cache-snoop.domains=google.com,facebook.com 192.168.1.1

DNS Vulnerabilities

DNS Hijacking

If you can modify DNS responses, you control where users go.

bash
1606070;"># Responder for local DNS spoofing
2sudo responder -I eth0 -rdw
3 
4606070;"># DNSChef for targeted spoofing
5sudo dnschef --fakeip 192.168.1.100 --interface eth0
6 
7606070;"># Check for DNS-over-HTTPS/TLS support
8606070;"># These bypass traditional DNS hijacking

Subdomain Takeover

When CNAME records point to decommissioned services (GitHub Pages, Heroku, S3), attackers can claim those services.

bash
1606070;"># Find CNAMEs pointing to external services
2dig example.com CNAME
3dig subdomain.example.com CNAME
4 
5606070;"># Check for dangling CNAMEs
6606070;"># If CNAME points to xyz.github.io but that repo doesn't exist = takeover
7 
8606070;"># Tools
9subjack -w subdomains.txt -t 100 -o results.txt
10nuclei -l subdomains.txt -t takeovers/

DNSSEC Issues

bash
1606070;"># Check DNSSEC status
2dig example.com +dnssec +multi
3 
4606070;"># Verify DNSSEC chain
5delv @8.8.8.8 example.com
6 
7606070;"># DNSSEC misconfiguration can allow spoofing

Tool Summary

bash
1606070;"># dnsrecon - comprehensive enumeration
2dnsrecon -d example.com -a
3 
4606070;"># dnsenum - enumeration + brute force
5dnsenum --dnsserver ns1.example.com example.com
6 
7606070;"># fierce - domain scanner
8fierce --domain example.com --subdomains subdomains.txt
9 
10606070;"># amass - most comprehensive
11amass enum -d example.com -o output.txt
12 
13606070;"># massdns - fastest brute forcer
14massdns -r resolvers.txt -t A -o S wordlist.txt

DNS Enumeration Methodology

DNS Enumeration Process

1
Identify NSFind authoritative name servers
2
Zone TransferAttempt AXFR on each NS
3
Record QueryGet A, MX, TXT, NS, SOA records
4
Subdomain BruteRun subdomain enumeration
5
Reverse DNSSweep IP ranges for PTR records
6
Takeover CheckLook for dangling CNAMEs
7
DocumentMap out DNS infrastructure

Knowledge Check

Quick Quiz
Question 1 of 3

What is a DNS zone transfer (AXFR)?

Challenges

Zone Transfer Challenge

Challenge
🌱 beginner

Find a misconfigured DNS server that allows zone transfers and extract all subdomains.

Need a hint? (4 available)

Hidden Subdomain Hunt

Challenge
🔥 intermediate

Using DNS enumeration techniques, find at least 20 subdomains for a target domain.

Need a hint? (4 available)

Key Takeaways

  • DNS runs on port 53 (UDP for queries, TCP for zone transfers)
  • Zone transfers (AXFR) can expose entire DNS zones if misconfigured
  • TXT records often contain SPF, DKIM, and service verification tokens
  • Subdomain brute forcing reveals hidden infrastructure
  • Reverse DNS sweeps expose internal naming conventions
  • Dangling CNAMEs enable subdomain takeover attacks
  • Use multiple tools - each finds different results