DNS Enumeration
@mmar
1
� DNS Enumeration
DNS enumeration, also known as DNS recon, is the process of gathering
information about a domain name system (DNS) infrastructure and its
associated records. DNS is responsible for translating human-readable
domain names (e.g., www.example.com) into machine-readable IP
addresses (e.g., 192.168.1.1). DNS enumeration involves querying DNS
servers to obtain various types of DNS records, which can reveal
valuable information about the target domain including hidden or
internal subdomains
2
� DNS Enumeration
The primary purpose of DNS enumeration is to gather intelligence
about a target's DNS infrastructure. It can be used by security
professionals, penetration testers, or malicious actors to identify
potential vulnerabilities, misconfigurations, or targets for further
attacks. By gathering information about the target's DNS
infrastructure, an attacker can potentially identify subdomains, mail
servers, or other potential entry points for further attacks.
3
� Record Types
Axfr Zone transfer. Includes all records
about a domain
4
� Dig
Most common DNS Enumeration tool
DNS Enumeration swiss army knife
5
� Dig
Dig can be used for simple domain lookup
>dig zonetransfer.me
6
� Dig
We can also specify the type of record with dig command
>dig ns zonetransfer.me (Name server)
>dig mx zonetransfer.me (Mail server)
>dig cname zonetransfer.me (cname record)
7
� Host
Simplest DNS Enumeration tool
8
� Host
Host provides a simple way to perform DNS lookups and
retrieve DNS records.
>host zonetransfer.me
9
� Host
We can use host tool to look up a specific record
>host -t ns zonetransfer.me (Name server)
>host -t mx zonetransfer.me (Mail server)
10
� Host
Host can be used to map IP address to the website with
reverse lookup
>host 192.168.2.2
11
� nslookup
(A cross platform tool for DNS
Enumeration)
12
� nslookup
We can use nslookup on windows to enumerate dns
records
>nslookup zonetransfer.me
13
� nslookup
We can specify a specific record type and use the tool in an
interactive manner
>nslookup
>Set type=ns
>zonetransfer.me
14
�Zone Transfer
15
� Zone Transfer
Zone transfer is a mechanism in DNS for sharing and synchronizing
DNS database information between servers. Pentesters and hackers
can leverage zone transfer to gather intelligence about a target's DNS
infrastructure. Zone transfers provide a comprehensive list of DNS
records, including subdomains, IP addresses, and mail servers
16
� CONCEPT
1 2
Identify the name Initiate Zone
server transfer
17
� Zone transfer
Host tool can be used to initiate zone transfer. First look for
the name server and then check if it supports zone transfer.
Try all listed name servers for best results
>host -t ns zonetransfer.me
18
� Zone transfer
>host –l zonetransfer.me nsztm2.digi.ninja
19
� Zone transfer
Dig can also be used to initiate zone transfer
>dig ns zonetransfer.me
>dig axfr zonetransfer.me @nsztm2.digi.ninja
20
� Zone transfer
Similarly, nslookup can also be used to perform zone
transfer
>nslookup
>set type=ns
>zonetranfer.me
>server nsztm2.digi.ninja
>set type=any
>ls –d zonetransfer.me
21
�Automated tools
22
� DNS Recon
DNSRECON is designed to automate and streamline the
process of querying DNS servers, retrieving DNS records,
and conducting various types of DNS-related scans
>dnsrecon –d zonetransfer.me –t axfr
23
� DNS Enum
DNSenum is another automated tool that collects all
possible information about the target
>dnsenum zonetransfer.me
24
� Fierce
Fierce is another tool for DNS enumeration
>fierce --domain zonetransfer.me
25
�THANKS
26
