DNS 53
Nmap Enumeration
Basic Scan for DNS
nmap -p 53 <target_range> -vv -oA dns.txt
Where <target_range>
could be a single IP (e.g., 10.10.10.10
) or a range (e.g., 10.11.1.1-254
).
Finding the DNS Server
Using nslookup
nslookup
nslookup <hostname> <dns_server_ip>
Using dig
dig
Basic Queries:
dig @<dns_server_ip> <hostname>
Reverse Lookup:
dig -x <ip_address> +short
Forward Lookup Bruteforce
Using dnsrecon
dnsrecon
Install dnsrecon
:
sudo apt install dnsrecon
Run a forward lookup brute force:
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
Using dnsmap
dnsmap
Install dnsmap
:
sudo apt install dnsmap
Run DNS enumeration:
dnsmap example.com
Using host
host
For a basic lookup:
host example.com
For specific records:
host -mx example.com # MX Records
host -tx example.com # TXT Records
Automating Forward Lookups with Bash
Prepare a list of subdomains (e.g., list.txt
):
www
ftp
proxy
mail
Run the following script:
for subdomain in $(cat list.txt); do host $subdomain.example.com; done
Reverse Lookup Bruteforce
Using Bash
For a range of IPs:
for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"
Using dnsrecon
dnsrecon
Reverse lookup brute force:
dnsrecon -d example.com -t rvl
DNS Zone Transfers
Using host
host
Check for a vulnerable zone transfer:
host -l example.com <dns_server_ip>
Using dnsrecon
dnsrecon
dnsrecon -d example.com -t axfr
Using dnsenum
dnsenum
Install dnsenum
:
sudo apt install dnsenum
Run zone transfer:
dnsenum zonetransfer.me
Common Use Cases
Forward Lookups: Identify valid subdomains and their associated IPs.
Reverse Lookups: Discover hostnames for a given range of IPs.
Zone Transfers: Exploit misconfigured DNS servers to dump entire domain records.
Brute Forcing: Use wordlists to uncover hidden or forgotten subdomains.
Custom Wordlists
You can use wordlists from the SecLists
repository for DNS brute-forcing:
sudo apt install seclists
Example location:
/usr/share/seclists/Discovery/DNS/
Last updated