Most common types of DNS records include:
- NS - Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
- A - Also known as a host record, the "a record" contains the IP address of a hostname
- MX - Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
- PTR - Pointer Records are used in reverse lookup zones and are used to find the records associated with an IP address.
- CNAME - Canonical Name Records are used to create aliases for other host records.
- TXT - Text records can contain any arbitrary data and can be used for various purposes, such as domain ownership verification.
Find the IP of a domain (A record)
host www.example.com
Find Specific DNS records for a domain
host -t <record type> example.com
# ex. host -t mx example.co
Forward Lookup Brute Force
for ip in $(cat list.txt); do host $ip.example.com; done | grep -v NXDOMAIN
# list.txt has posible subdomains (www,ftp,mail)
Reverse Lookup Brute Force
for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"
Zone Transfer
host -l <domain name> <dns server address>
#ex. host -l example.com ns.example.com
Get nameservers
host -t ns example.com | cut -d " " -f 4
Zonetransfer auto-scripts
#!/bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0
fi
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 | cut -d " " -f4); do
# For each of these servers, attempt a zone transfer
host -l $1 $server |grep "has address"
done
Zonetransfer dnsrecon
dnsrecon -d example.com -t axfr
Subdomain Brute Force dnsrecon
dnsrecon -d example.com -D ~/list.txt -t brt
dnsenum
dnsenum example.com