Port 53 | DNS

nslookup -query=mx '<Domain>' -server '<DNS-IP>'                                                                                                                                                         
nslookup -query=ns '<Domain>'  -server '<DNS-IP>'
nslookup -query=any '<Domain>' -server '<DNS-IP>'
dig '<Domain>'
dig '<Domain>' A
dig '<Domain>' AAAA
dig '<Domain>' PTR
dig '<Domain>' NS
dig '<Domain>' MX

nmap --script dns-brute --script-args dns-brute.threads=12 '<Domain>'

fierce -dns '<Domain>'
fierce -dns '<Domain>' -dnsserver '<DNS>'

dnsenum --dnsserver '<IP>' --enum '<Domain>'

Resolve DNS IP to Domain name.

dig '@172.16.5.10' -x '172.16.5.10' +nocookie

Brute force

fierce --domain '<Domain>' --range <Range> --dns-servers '<IP>' --subdomain-file '<wordlist>'

Brute force with Bash

for name in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt); do host $name.sportsfoo.com '172.16.5.10' -W 2; done | grep 'has address'

Zone Transfer

dig '@<IP>' -t AXFR '<Domain>' +nocookie

Last updated 3 years ago