Domain Name System (DNS) enumeration is the process of identifying the DNS servers and records associated with a target:
Address (A) records containing the IP addresses for domains
Mail Exchange (MX) records containing mail addresses
Canonical Name (CNAME) records used for aliasing domains and identifying subdomains within DNS records
Name Server (NS) records showthe authoritative (or main) name server for the domain
State of Authority (SOA) records have important information about the domain such as the primary name server, timestamp showing last update and the party responsible for the domain
Pointer Records (PTR) map an IPv4 address to the CNAME on the host, aka ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around
TXT records may include additional information (e.g. configuration)
A whois lookup can be used to get general information about the domain such as the registrar, domain owner, their contact information and DNS server:
Nslookup (Name Server lookup) is used for querying the domain name system for DNS records:
Query DNS records using the option
-type= followed by the DNS record type:
nslookup -type=A google.com
Use ‘any’ as DNS record type to return all DNS records for the domain:
nslookup -type=any google.com
A Sender Policy Framework (SPF) record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of your domain. SPF records prevent spammers from sending messages with forged ‘From’ addresses from a particular domain. A receiving mail server uses the sending domain's SPF record to check if the message comes from a legitmate server.
Host can be used to convert domain names to IP addresses and vice versa:
DNS servers usually have redundant/secondary servers which must be synced to each other. The replication method is called a zone transfer. DNS servers with zone transfers enabled to the public can reveal servers which would not be found by guessing. Zone transfers are typically disabled for DNS servers, but are still worth checking.
Check for zone transfer capability using host, use this command to retrieve the name server:
host -t ns google.com
Then use the name server as an argument in the next command:
host -t axfr -l google.com ns1.google.com
Dig is pretty much like Host.
Retrieve MX records for the google.com domain:
dig -t mx google.com
To request all records, specify
any as parameter:
dig -t any google.com
To test for zone transfers, use the following command: (zonetransfer is deliberately vulnerable)
dig axfr @nsztm1.digi.ninja zonetransfer.me
Fierce tries to find name servers for the given domain and perform a zone transfer on each one. It also checks for a wildcard DNS record and guesses subdomains using an internal wordlist.
fierce -h for help (this works for most things):
fierce -dns google.com
To specify a custom wordlist:
fierce -dns google.com –wordlist /path/to/wordlist/
A Wildcard DNS record is a DNS record that will match any request when there is no record available that explicitly matches that request. The Wildcard DNS record is uses an asterisk as the first label:
www.domain.com A 22.214.171.124vpn.domain.com A 126.96.36.199test.domain.com A 188.8.131.52*.domain.com A 184.108.40.206
Requesting the IP for a domain that is not explicitly defined, such as xw4647.domain.com will return the wildcard response of 220.127.116.11.
Tools like Fierce will first make a request for an unlikely subdomain (e.g sffvfdghdf9w3534.google.com) before guessing common names from a wordlist to determine if wildcard domains are present.
DNSenum enumerates the DNS information to discover non-contiguous IP blocks. It also attempts zone transfers on DNS:
DNSrecon is another automated tool for querying DNS records and attempting zone transfers.
For options, type
dnsrecon -d google.com
Sublist3r enumerates subdomains using popular search engines to discover subdomains for a selected domain name. It can also guess subdomains using an integrated tool named Subbrute, which uses a wordlist to enumerate DNS records and subdomains:
sublist3r -d google.com
To add brute forcing with Subbrute, use the
-b option to the command and control the number of additional threads to use with the
sublist3r -d google.com -b -t 100
The Harvester is used for e-mail harvesting across several search engines. If an organization doesn't have a public employee directory, this can be a quick way to gather email addresses for phishing or searching for passwords in recent database dumps.
theharvester -d microsoft.com -b google -l 5
The domain is specified by
-d and the data source with
-b (Google). Search results can be limited with the
Recon-ng is a Metasploit-style reconnaissance framework which can harvest emails and also check data dumps for passwords:
show modulesuse recon/contacts-credentials/hibp_breach[recon-ng][default][hibp_breach] > show infoset source firstname.lastname@example.org
Similar to Metasploit, you can select specific data dumps and set the source email to search.
Google can identify subdomains for a particular website:
To exclude a specific subdomain:
Search specific social media sites for information:
site:twitter.com orgnamesite:linkedin.com orgnamesite:facebook.com orgname
Search for specific filetypes on organizational websites: