DNS Enumeration

Host Lookups

Basic DNS lookup for A record (IPv4):

host www.$DOMAIN

Search for specific record types:

host -t mx $DOMAIN
host -t txt $DOMAIN
host -t ns $DOMAIN

tip

For MX records, the server with the lowest priority number will be used first to forward mail.

Use a wordlist to discover hostnames:

for ip in $(cat list.txt); do host $ip.$DOMAIN; done

If forward brute force reveals IP addresses in the same range, scan that range with reverse lookups:

for ip in $(seq 1 254); do host 167.114.21.$ip; done | grep -v "not found"

Standard scan:

dnsrecon -d $DOMAIN -t std

Brute force with wordlist:

dnsrecon -d $DOMAIN -D ~/list.txt -t brt

-d designates the domain, -t std is standard scan type, -t brt is brute force, and -D specifies the wordlist.

dnsenum $DOMAIN

dig $DOMAIN any
dig axfr $DOMAIN @<dns-server>