DNS Enumeration Cheatsheet
Default Port: 53 (TCP/UDP)
Key DNS Record Types
| Record | Description |
|---|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| MX | Mail server |
| NS | Name server |
| TXT | Text records (SPF, DMARC, verification) |
| CNAME | Canonical name / alias |
| SOA | Start of authority |
| PTR | Reverse lookup |
| SRV | Service location |
Basic Lookups
# host
host <domain>
host -t A <domain>
host -t MX <domain>
host -t NS <domain>
host -t TXT <domain>
host -t CNAME <domain>
# dig
dig <domain>
dig <domain> ANY
dig <domain> A
dig <domain> MX
dig <domain> NS
dig <domain> TXT
dig @<nameserver> <domain> ANY +noall +answer
# nslookup
nslookup <domain>
nslookup -type=MX <domain>
nslookup -type=NS <domain>
Zone Transfer
dig axfr @<nameserver> <domain>
host -l <domain> <nameserver>
fierce --domain <domain>
Subdomain Enumeration
# dnsenum
dnsenum --dnsserver <ns> --enum -p 0 -s 0 -o output.txt -f wordlist.txt <domain>
dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r
# dnsrecon
dnsrecon -d <domain> -t std # Standard enumeration
dnsrecon -d <domain> -t axfr # Zone transfer attempt
dnsrecon -d <domain> -t brt -D wordlist.txt # Brute force subdomains
# gobuster DNS mode
gobuster dns -d <domain> -w wordlist.txt -r <nameserver>
# Sublist3r
sublist3r -d <domain>
# Amass
amass enum -d <domain>
amass enum -passive -d <domain>
Nmap DNS Scripts
nmap -p 53 --script dns-brute <domain>
nmap -p 53 --script dns-zone-transfer \
--script-args dns-zone-transfer.domain=<domain> <nameserver>
nmap -p 53 --script dns-nsid <nameserver>
nmap -p 53 --script dns-recursion <nameserver>
nmap -p 53 --script dns-cache-snoop <nameserver>
Reverse DNS Lookup
dig -x <ip>
host <ip>
dnsrecon -r <cidr> -t rvl
# Example
dig -x 192.168.1.1
host 192.168.1.1
Wordlists (SecLists)
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt