Skip to content

DNS Enumeration


The Domain Name System (DNS) is a hierar­chical distri­buted naming system for computers, services, or any resource connected to the Internet or a private network. It associates various inform­ation with domain names assigned to each of the partic­ipating entities. Most promin­ently, it translates easily memorized domain names to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. The Domain Name System is an essential component of the functi­onality of the Internet DNS uses UDP port 53 www.e­xam­ => 93.184.21­6.119 Elements of the name:– dot: at the end is the root [first zone]- com: top level domain [TLD] [second zone]- exam­ple: domain [third zone]- www: subdomain [forth zone] Subd­omains exampl­es:– www.ex­amp­le.c­om:80– smtp.e­xam­ pop.ex­amp­le.c­om:110- imap.e­xam­­m:143- irc.ex­amp­le.c­om­:6669

DNS records

A: ipv4 address [www.e­xa­mpl­e.c­om:80AAAA: ipv6 address [www.e­xa­mpl­e.c­om:80MX: mail exchanger [smtp.ex­amp­le.c­om­:25] CNAME: alias resolves to another domain name [irc.e­xa­mpl­e.c­om:­6669] TXT: text [dark­net.ex­amp­le.c­om­:1337] NS: name server [ns1.e­xa­mpl­] ANY: any record type that exists for the subject of the query HINFO: host inform­ation. Inform­ation about the CPU type and operating system of subject of the query WKS: well-known services or applic­ations available on this host PTR: pointer record. Returns a host name for an IP address SOA: start of Authority record SRV: service record is a specif­ication of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services


Zone Transf­ersDNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transa­ction. It is one of the many mechanisms available for admini­str­ators to replicate DNS databases across a set of DNS servers. Zone transfer comes in two flavors, full (AXFR) and increm­ental (IXFR). Cache SnoopingDNS cache snooping is when someone queries a DNS server in order to find out (snoop) if the DNS server has a specific DNS record cached, and thereby deduce if the DNS server’s owner (or its users) have recently visited a specific site.This may reveal inform­ation about the DNS server’s owner, such as what vendor, bank, service provider, etc. they use. Especially if this is confirmed (snooped) multiple times over a period. This method could even be used to gather statis­tical inform­ation – for example at what time does the DNS server’s owner typically access his net bank etc. The cached DNS record’s remaining TTL value can provide very accurate data for this. Great for determ­ining relations and outside services used that can be leveraged in Phising attempts


Checks inform­ation about ownership of a domain name$ whois [domain] – querying databases that store the registered users or assignees, such as a domain name, an IP addresses Exam­ple:$ whois hackme.comDomain Name: HACKME.COMRegis­trar: UNIREG­ISTRAR CORPSpons­oring Registrar IANA ID: 1659Whois Server: whois.u­ni­reg­ist­rar.comReferral URL: http:/­/ww­w.u­nir­egi­str­ar.comName Server: NS1.HO­STI­NGN­ET.COMName Server: NS2.HO­STI­NGN­ET.COMStatus: client­Del­ete­Pro­hibited http:/­/ww­w.i­can­n.o­rg/­epp­#cl­ien­tDe­let­ePr­ohi­bited`Status: client­Tra­nsf­erP­roh­ibited http:/­/ww­w.i­can­n.o­rg/­epp­#cl­ien­tTr­ans­fer­Pro­hib­ited`Status: client­Upd­ate­Pro­hibited http:/­/ww­w.i­can­n.o­rg/­epp­#cl­ien­tUp­dat­ePr­ohi­bited`Updated Date: 02-dec­-2014Creation Date: 06-jun­-2003Expir­ation Date: 06-jun­-2017


Query the DNS server$ host [domain] – query dns server for domain$ host [ip_ad­dress] – reverse dns lookup$ host -t [DNS_r­ecord] [domain] – query dns for given DNS record$ host -l [domain] – zone transfer using AXFR Exam­ple$ host has address 23.21.2­ mail is handled by 1000­­===­===­===­===­===­======$ host -t A has address 23.21.2­24.150======­===­===­===­===­===­======$ host -t AAAA has no AAAA record======­===­===­===­===­===­======$ host -t MX mail is handled by 1000­­===­===­===­===­===­======$ host -t SOA has SOA record ns1.di­gim­edi­ dns.di­gim­edi­ 2014090503 10800 3600 604800 3600======­===­===­===­===­===­======$ host -t PTR 23.21.2­24.150150.2­24.2­1.2­3.i­n-­add­ domain name pointer ec2-23­-21­-22­4-1­50.c­om­put­­azo­naw­

Name Servers

Auth­ori­tat­ive: An author­itative name server provides actual answer to your DNS queries such as – mail server IP address or web site IP address (A resource record). It provides original and definitive answers to DNS queries. It does not provides just cached answers that were obtained from another name server. Therefore it only returns answers to queries about domain names that are installed in its config­uration system. There are two types of Author­itative Name Servers:- Master server (primary name server): A master server stores the original master copies of all zone records. A hostmaster only make changes to master server zone records. Each slave server gets updates via special automatic updating mechanism of the DNS protocol. All slave servers maintain an identical copy of the master records- Slave server (secondary name server): A slave server is exact replica of master server. It is used to share DNS server load and to improve DNS zone availa­bility in case master server fails. It is recommend that you should at least have 2 slave servers and one master server for each domain name Recu­rsi­ve: A recursive nameserver is one that answers queries by asking other namese­rvers for the answer. It will satisfy queries from cache if possible, but otherwise it traverses the Internet (or private) namespace tree, from the root level if necessary, repeatedly asking the query on behalf of its client and following referrals from author­itative servers until it finds one that provides the answer(s) that it can return to its client Cach­ing: Caching name servers (DNS caches) store DNS query results for a period of time determined in the config­uration (time-­to-­live) of each domain­-name record. DNS caches improve the efficiency of the DNS by reducing DNS traffic across the Internet, and by reducing load on author­itative name-s­ervers, partic­ularly root name-s­ervers. Because they can answer questions more quickly, they also increase the perfor­mance of end-user applic­ations that use the DNS. Recursive name servers resolve any query they receive, even if they are not author­itative for the question being asked, by consulting the server or servers that are author­itative for the question. Caching name servers are often also recursive name server­s—they perform every step necessary to answer any DNS query they receive


Query the DNS server$ nslookup – brings the intera­ctive mode$ > [domain] – query dns server for domain$ > [ip_ad­dress] – reverse dns lookup$ > server [ip_ad­dress or domain] – change the default (current) DNS server to ip_address or domain$ > set root=d­nss­erver – makes the root DNS server the default DNS server for the query session$ > domain dnssever – show the IP address of the host domain, but query dnsserver for the inform­ation$ > set type=x – determines the type of DNS record that the DNS server will use to answer the query (x = DNS record type)$ > set recursive – query other DNS servers if the default server does not have the inform­ation$ > ls -a domain – list all canonical (true) names and aliases in domain$ > ls -h domain – list HINFO (CPU type and operating system) for domain$ > ls -s domain – list the well-known services available on domain$ > ls -d domain – list all available records for domain. Includes all DNS record types$ > ls -t [type] domain – list all DNS TYPE records for domain$ > exit – quit the intera­ctive mode Exam­ple$ nslookup$ > server server:­#53$ > hack.comServer:­#53 Non-a­uth­ori­tative answer:Name: hack.comAddress: 23.21.2­24.150$ > 23.21.2­24.150Server:­#53 Non-a­uth­ori­tative answer:150.2­24.2­1.2­3.i­n-­add­ name = ec2-23­-21­-22­4-1­50.c­om­put­­azo­naw­ Autho­rit­ative answers can be found from:


Query the DNS server$ dig [domain] – query dns server for name$ dig +nocmd [domain] – drops dig version from query output$ dig +nocom­ments [domain] – drops the question and answer section from query output$ dig +noque­stion [domain] – drops the question from the query output$ dig +noanswer [domain] – drops the answer from the query output$ dig +noaut­hority [domain] – drops the inform­ation of author­itative dns from the query output$ dig +noadd­itional [domain] – drops additional inform­ation from query output$ dig +nostat [domain] – drops statistics from query output$ dig +short [domain] – short form of query output$ dig [DNS_r­ecord] [domain] – query dns for given DNS record$ dig [domain] AXFR – zone transfer$ dig -x [ip_ad­dres] – reverse dns lookup$ dig @names­erver [domain] – query different name server$ dig +search [domain] – uses dns servers from /etc/r­eso­lv.conf$ dig -f /path/­to/­file – query for hosts specified in the file$ dig +noall – set or clear all display flags Exam­ple$ dig @; <<>> DiG 9.8.3-P1 <<>> @; (1 server found);; global options: +cmd;; Got answer:;; ->>­HEA­DER­<;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITI­ONAL: 0 ;; QUESTION SECTION:;hack­ IN A ;; ANSWER SECTION:hackm­ 299 IN A 69.172.20­1.208 ;; Query time: 91 msec;; SERVER:­#5­3(;; WHEN: Thu Mar 12 21:50:25 2015;; MSG SIZE rcvd: 44======­===­===­===­===­===­======$ dig @ +short hack.com69.17­2.2­01.208


Fierce is a semi-l­igh­tweight scanner that helps locate non-co­nti­guous IP space and hostnames against specified domains. It is meant specif­ically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-co­nfi­gured networks that leak internal address space. That’s especially useful in targeted malware

Thanks To: