DNS Enumeration

MITRE ATT&CK™ Gather Victim Network Information: DNS - T1590.002

Theory

Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.

Each domain can use different types of DNS records. Some of the most common types of DNS records include:

NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
A: Also known as a host record, the "a record" contains the IPv4 address of a hostname (such as www.megacorpone.com).
AAAA: Also known as a quad A host record, the "aaaa record" contains the IPv6 address of a hostname (such as www.megacorpone.com).
MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
PTR: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address.
CNAME: Canonical Name Records are used to create aliases for other host records.
TXT: Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification.

Practice

The dig (domain information groper) command is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the queried name server(s).

# Simple DNS resolution
dig domain.com

#Enum records
dig MX domain.com
dig NS domain.com
dig A domain.com
dig txt domain.com
dig AAAA domain.com

#If supported by the DNS server, we can use the ANY query and dump all records
dig any domain.com

#Zone transfert
dig axfr domain.com @ns.domain.com

Using the host command, we may perform DNS and revers DNS enumeration

# Simple DNS resolution
host domain.com

# Enum records
host -t MX www.domain.com
host -t NS domain.com
host -t A domain.com
host -t txt domain.com
host -t AAAA domain.com

# Reverse DNS
# Works if the DNS is configured with a PTR record
host 149.56.244.87

# Bash script reverse DNS lookup an IP addresses range
for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"

# Simple DNS resolution
nslookup domain.com

# Enum records, you may use set=all
nslookup
> set type=ns
> domain.com

# Specify a DNS server
nslookup
> server 10.10.10.8
> domain.com

# One-liner: request TXT records for info.domain.com on 10.10.10.8 DNS server
nslookup -type=TXT info.domain.com 10.10.10.8 

# Reverse DNS
# Works if the DNS is configured with a PTR record
nslookup 149.56.244.87

#Basic enum
dnsrecon -d domain.com
# -t std for standar scan
dnsrecon -d domain.com -t std

#Brute force domains and hosts
dnsrecon -t brt -d domain.com -D /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

#Bing (-b) and yandex (-y) search enum
dnsrecon -by -d domain.com

#Zone transfert
dnsrecon -a -d domain.com

#DNSSEC zone walk
dnsrecon -z -d domain.com

#Brute force domains and hosts
dnsmap domain.com -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

dnsenum domain.com

Ressource

Last updated 9 months ago

Was this helpful?

Theory

Each domain can use different types of DNS records. Some of the most common types of DNS records include:

NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.

A: Also known as a host record, the "a record" contains the IPv4 address of a hostname (such as www.megacorpone.com).

AAAA: Also known as a quad A host record, the "aaaa record" contains the IPv6 address of a hostname (such as www.megacorpone.com).

MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.

PTR: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address.

CNAME: Canonical Name Records are used to create aliases for other host records.

TXT: Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification.

Practice

The dig (domain information groper) command is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the queried name server(s).

# Simple DNS resolution
dig domain.com

#Enum records
dig MX domain.com
dig NS domain.com
dig A domain.com
dig txt domain.com
dig AAAA domain.com

#If supported by the DNS server, we can use the ANY query and dump all records
dig any domain.com

#Zone transfert
dig axfr domain.com @ns.domain.com

Using the host command, we may perform DNS and revers DNS enumeration

# Simple DNS resolution
host domain.com

# Enum records
host -t MX www.domain.com
host -t NS domain.com
host -t A domain.com
host -t txt domain.com
host -t AAAA domain.com

# Reverse DNS
# Works if the DNS is configured with a PTR record
host 149.56.244.87

# Bash script reverse DNS lookup an IP addresses range
for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"

Nslookup is a native Windows & Linux command that may be used as a to perform DNS enumeration

# Simple DNS resolution
nslookup domain.com

# Enum records, you may use set=all
nslookup
> set type=ns
> domain.com

# Specify a DNS server
nslookup
> server 10.10.10.8
> domain.com

# One-liner: request TXT records for info.domain.com on 10.10.10.8 DNS server
nslookup -type=TXT info.domain.com 10.10.10.8 

# Reverse DNS
# Works if the DNS is configured with a PTR record
nslookup 149.56.244.87

is a Python script that provides the ability to perform DNS enumeration.

#Basic enum
dnsrecon -d domain.com
# -t std for standar scan
dnsrecon -d domain.com -t std

#Brute force domains and hosts
dnsrecon -t brt -d domain.com -D /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

#Bing (-b) and yandex (-y) search enum
dnsrecon -by -d domain.com

#Zone transfert
dnsrecon -a -d domain.com

#DNSSEC zone walk
dnsrecon -z -d domain.com

scans a domain for common subdomains using a built-in or an external wordlist (if specified using -w option). The internal wordlist has around 1000 words

#Brute force domains and hosts
dnsmap domain.com -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

Dnsenum is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. The main purpose of Dnsenum is to gather as much information as possible about a domain.

dnsenum domain.com