DNS 53
Nmap Enumeration
Basic Scan for DNS
Where <target_range>
could be a single IP (e.g., 10.10.10.10
) or a range (e.g., 10.11.1.1-254
).
Finding the DNS Server
Using nslookup
nslookup
Using dig
dig
Basic Queries:
Reverse Lookup:
Forward Lookup Bruteforce
Using dnsrecon
dnsrecon
Install dnsrecon
:
Run a forward lookup brute force:
Using dnsmap
dnsmap
Install dnsmap
:
Run DNS enumeration:
Using host
host
For a basic lookup:
For specific records:
Automating Forward Lookups with Bash
Prepare a list of subdomains (e.g., list.txt
):
Run the following script:
Reverse Lookup Bruteforce
Using Bash
For a range of IPs:
Using dnsrecon
dnsrecon
Reverse lookup brute force:
DNS Zone Transfers
Using host
host
Check for a vulnerable zone transfer:
Using dnsrecon
dnsrecon
Using dnsenum
dnsenum
Install dnsenum
:
Run zone transfer:
Common Use Cases
Forward Lookups: Identify valid subdomains and their associated IPs.
Reverse Lookups: Discover hostnames for a given range of IPs.
Zone Transfers: Exploit misconfigured DNS servers to dump entire domain records.
Brute Forcing: Use wordlists to uncover hidden or forgotten subdomains.
Custom Wordlists
You can use wordlists from the SecLists
repository for DNS brute-forcing:
Example location:
Last updated