Skip to main content

DNS Enumeration (53)

Most common types of DNS records include:

  • NS - Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
  • A - Also known as a host record, the "a record" contains the IP address of a hostname
  • MX - Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
  • PTR - Pointer Records are used in reverse lookup zones and are used to find the records associated with an IP address.
  • CNAME - Canonical Name Records are used to create aliases for other host records.
  • TXT - Text records can contain any arbitrary data and can be used for various purposes, such as domain ownership verification.


Find the IP of a domain (A record)


Find Specific DNS records for a domain

host -t <record type>
# ex. host -t mx

Forward Lookup Brute Force

for ip in $(cat list.txt); do host $; done | grep -v NXDOMAIN
# list.txt has posible subdomains (www,ftp,mail)

Reverse Lookup Brute Force

for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"

Zone Transfer

host -l <domain name> <dns server address>
#ex. host -l

Get nameservers

host -t ns | cut -d " " -f 4

Zonetransfer auto-scripts


# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage

if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0

# if argument was given, identify the DNS servers for the domain

for server in $(host -t ns $1 | cut -d " " -f4); do
# For each of these servers, attempt a zone transfer
host -l $1 $server |grep "has address"

Zonetransfer dnsrecon

dnsrecon -d -t axfr

Subdomain Brute Force dnsrecon

dnsrecon -d -D ~/list.txt -t brt