DNS 53

Nmap Enumeration

Basic Scan for DNS

nmap -p 53 <target_range> -vv -oA dns.txt

Where <target_range> could be a single IP (e.g., 10.10.10.10) or a range (e.g., 10.11.1.1-254).


Finding the DNS Server

Using nslookup

nslookup <hostname> <dns_server_ip>

Using dig

Basic Queries:

dig @<dns_server_ip> <hostname>

Reverse Lookup:

dig -x <ip_address> +short

Forward Lookup Bruteforce

Using dnsrecon

Install dnsrecon:

sudo apt install dnsrecon

Run a forward lookup brute force:

dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml

Using dnsmap

Install dnsmap:

sudo apt install dnsmap

Run DNS enumeration:

dnsmap example.com

Using host

For a basic lookup:

host example.com

For specific records:

host -mx example.com   # MX Records
host -tx example.com   # TXT Records

Automating Forward Lookups with Bash

Prepare a list of subdomains (e.g., list.txt):

www
ftp
proxy
mail

Run the following script:

for subdomain in $(cat list.txt); do host $subdomain.example.com; done

Reverse Lookup Bruteforce

Using Bash

For a range of IPs:

for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"

Using dnsrecon

Reverse lookup brute force:

dnsrecon -d example.com -t rvl

DNS Zone Transfers

Using host

Check for a vulnerable zone transfer:

host -l example.com <dns_server_ip>

Using dnsrecon

dnsrecon -d example.com -t axfr

Using dnsenum

Install dnsenum:

sudo apt install dnsenum

Run zone transfer:

dnsenum zonetransfer.me

Common Use Cases

  1. Forward Lookups: Identify valid subdomains and their associated IPs.

  2. Reverse Lookups: Discover hostnames for a given range of IPs.

  3. Zone Transfers: Exploit misconfigured DNS servers to dump entire domain records.

  4. Brute Forcing: Use wordlists to uncover hidden or forgotten subdomains.


Custom Wordlists

You can use wordlists from the SecLists repository for DNS brute-forcing:

sudo apt install seclists

Example location:

/usr/share/seclists/Discovery/DNS/

Last updated