DNS Enumeration
#Overview
DNS enumeration moves from passive to active: querying the target's DNS servers directly for records, attempting zone transfers, brute-forcing subdomains, and analyzing DNS infrastructure. DNS can reveal internal hostnames, mail servers, SPF records (which may expose IP ranges), and domain controller information.
#Prerequisites
- dig, nslookup, host (built-in)
- dnsrecon, dnsenum (apt install)
- Subdomain wordlist (SecLists: /usr/share/seclists/Discovery/DNS/)
#Execution
#Direct DNS Queries
# Query specific name servers directly
dig @ns1.example.com example.com ANY
dig @ns1.example.com example.com AXFR
# All common record types
for type in A AAAA MX NS CNAME TXT SOA SRV PTR; do
echo "=== $type ==="
dig example.com $type +short
done
# DNSSEC records
dig example.com DNSKEY
dig example.com DS
BASH
#Zone Transfer (AXFR)
# Find name servers first
dig example.com NS
# Attempt zone transfer against each name server
dig axfr @ns1.example.com example.com
dig axfr @ns2.example.com example.com
# Automated with dnsrecon
dnsrecon -d example.com -t axfr
# Automated with dnsenum
dnsenum example.com
BASH
A successful zone transfer dumps ALL DNS records for the domain — subdomains, internal IPs, servers, and configuration. This is rare on internet-facing servers but occasionally works on internal assessments.
#Subdomain Brute-Force
# dnsrecon with wordlist
dnsrecon -d example.com -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t brt
# gobuster DNS mode
gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# ffuf with DNS filtering (filter out NXDOMAIN)
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.example.com -H "Host: FUZZ.example.com" -fc 404
# fierce (recursive subdomain discovery)
fierce --domain example.com
# Pure bash DNS brute-force
while read sub; do
if host "$sub.example.com" &>/dev/null; then
echo "$sub.example.com"
fi
done < /usr/share/seclists/Discovery/DNS/namelist.txt
BASH
#SRV Record Discovery (Active Directory)
SRV records identify domain services and are critical for AD reconnaissance:
# Discover Domain Controllers
dig _ldap._tcp.dc._msdcs.example.com SRV
nslookup -type=SRV _ldap._tcp.dc._msdcs.example.com
# Kerberos servers
dig _kerberos._tcp.example.com SRV
# Global Catalog
dig _gc._tcp.example.com SRV
# All AD-related SRV records
dnsrecon -d example.com -t srv
BASH
#DNS Infrastructure Mapping
# Find all name servers for a domain
dig example.com NS +short
# Find authoritative vs recursive resolvers
dig example.com SOA +short
# DNS forward/reverse consistency
dig -x $(dig example.com A +short) +short
# Detect SPF record (reveals mail servers and IPs)
dig example.com TXT +short | grep spf
BASH
#ADIDNS (Active Directory-Integrated DNS)
In internal AD environments, any authenticated user can potentially create or modify DNS records:
# Check if dynamic DNS updates are allowed
# If you have valid AD credentials:
dnstool.py -u 'DOMAIN\user' -p 'password' -r 'attacker.example.com' -d '<attacker_IP>' --action add 'dc.example.com'
BASH
#What DNS Reveals
| Record | Intelligence Value |
|---|---|
| A / AAAA | Web servers, exposed services, CDN detection |
| MX | Email provider (O365, GSuite, on-prem Exchange) |
| NS | DNS provider, potential for zone transfer |
| TXT (SPF) | Authorized mail servers and IP ranges |
| TXT (DMARC) | Email security posture |
| SRV | Internal services: DCs, Kerberos, SIP, XMPP |
| CNAME | Service relationships, CDN aliases |
| SOA | Primary name server, admin email |
| PTR | Reverse DNS naming conventions |
#NSEC/NSEC3 Zone Walking
dig @ns1.example.com example.com NSEC
dnsrecon -d example.com -t zonewalk
BASH
#ADIDNS Exploitation
python3 dnstool.py -u 'DOMAIN\user' -p 'password' -r 'attacker.domain.local' -d 10.10.14.5 --action add dc.domain.local
BASH
#Wildcard Detection Methodology
dig random12345.example.com A +short
dig thisdoesnotexist99.example.com A +short
# If both resolve to the same IP → wildcard is active
# Filter wildcard IPs from brute-force results
BASH
#DNS Rebinding Attack
# Attacker sets DNS record with very low TTL that alternates between internal and external IPs
# Bypasses Same-Origin Policy in browsers for SSRF attacks
# Tool: dnsrebind.rb
BASH
#DNS Cache Snooping
dig @10.10.10.10 www.example.com A +noedns +norecurse
BASH
#Common Pitfalls
- Wildcard DNS: Some domains resolve ALL subdomains to the same IP. Filter by checking if multiple random subdomains resolve to the same address.
- Rate limiting: Aggressive brute-forcing may trigger DNS rate limits or alerts
- Split-horizon DNS: Internal and external DNS servers may return different records; what you see externally isn't the full picture
#OPSEC Considerations
- DNS queries to the target's name servers are logged and may trigger alerts in monitored environments
- Brute-force subdomain enumeration generates high volume DNS queries — easily detected
- For stealth: use public resolvers (8.8.8.8, 1.1.1.1) for initial queries, then switch to direct queries for zone transfers and SRV records only
- DNS brute-force generates thousands of queries easily detected by DNS monitoring
- ADIDNS modifications logged in Event ID 5136 (Directory Service changes)
#Post-Exploitation Value
DNS records map out the target's external attack surface. Subdomains often expose forgotten or less-secured services (dev.example.com, staging.example.com). SRV records identify domain controllers for later AD attacks.