PRIMARY CATEGORY → PROTOCOLS AND SERVICES
| REFERENCES | |
|---|---|
| Most Popular Types of DNS Attacks | See here |
DNS → Domain Name System
Enumeration
NS Query
Query for All Available Nameservers
dig ns <DOMAIN> @<TARGET> +shortBanner Grabbing
DIG
Query for DNS Server Version
dig CHAOS TXT version.bind @<TARGET> +short # Or CHNmap
nmap -p<DNS_PORT> --script dns-nsid -vvv -Pn <TARGET>ANY Query
Query for All Available DNS Records
dig ANY <DOMAIN> @<TARGET>Important
It is important to note that not all entries related to DNS Records in the zone will be displayed
Query for Specific DNS Records
A - AAAA
dig A <DOMAIN> @<TARGET>
dig AAAA <DOMAIN> @<TARGET>MX
dig MX <DOMAIN> @<TARGET>TXT
dig TXT <DOMAIN> @<TARGET>CNAME
dig CNAME <DOMAIN> @<TARGET>Zone Transfer
Asynchronous Full Transfer Zone
Dig
- Only DNS Records’ value from DNS Answer
dig axfr @<TARGET> +short
dig axfr @<TARGET> <DOMAIN> +short- Full DNS Answer
dig axfr @<TARGET> +noall +answer
dig axfr @<TARGET> <DOMAIN> +noall +answerSubdomains Enumeration
Tools
Passive
Amass
- Passive Mode
amass enum -passive -d <DOMAIN>Subdomain BruteForce
Dig
while IFS= read -r _subdomain ; do printf "%s.<DOMAIN> -> %s\n" "$_subdomain" "$( dig "$_subdomain".<DOMAIN> @<RESOLVER> +short)" ; done < <WORDLIST>Gobuster
gobuster dns --resolver <RESOLVER> --domain <DOMAIN> --wordlist <WORDLIST>Amass
- Active Mode
amass enum -active -brute -w <WORDLIST> -d <DOMAIN> -o <OUTPUT_FILE>DNSEnum
dnsenum --enum <DOMAIN> -f <WORDLIST> -r