Question

I want to identify subdomains of a target domain during a security assessment. What command-line tools or techniques, such as dig, host, or nslookup, can I use for DNS enumeration? Are there specific DNS records or query types I should focus on to gather subdomain information effectively?

Practical examples of these commands would be helpful.

Answer 1

The first step in reconnaissance is DNS enumeration, which helps in finding subdomains and other DNS records related to a target domain. Here's how to perform DNS enumeration using command-line tools like as dig, host, nslookup, and others:

1. Using dig for DNS Enumeration

dig (Domain Information Groper) is a powerful tool for querying DNS servers.

Query A record of the domain:

dig example.com

Query a specific record type (e.g., MX, TXT, NS):

dig example.com MX
dig example.com TXT
dig example.com NS

Zone Transfer Attempts

If the target DNS server allows zone transfers (AXFR), you can use dig to pull the entire zone file, revealing subdomains:

dig axfr @<nameserver> example.com

Replace <nameserver> with the IP or hostname of the DNS server.

Brute Forcing Subdomains

To brute-force subdomains using dig, you can combine it with a wordlist:

for sub in $(cat subdomains.txt); do
  dig +short "$sub.example.com"
done

2. Using host for DNS Enumeration

host is a simpler command-line tool for DNS queries.

Lookup DNS Records

Query A record:

host example.com

Query a specific DNS record type:

host -t MX example.com
host -t TXT example.com
host -t NS example.com

Zone Transfer

Attempt a zone transfer:

host -l example.com <nameserver>

Replace <nameserver> with the DNS server.

3. Using nslookup for DNS Enumeration

nslookup is another standard DNS query tool.

Interactive Mode

Launch nslookup in interactive mode:

nslookup

Then:

> set type=mx
> example.com

Zone Transfer

Attempt a zone transfer:

nslookup
> server <nameserver>
> ls -d example.com

4. Using dnsenum

dnsenum is specifically designed for DNS enumeration and automates many steps.

dnsenum example.com

Use the -f flag to provide a subdomain wordlist for brute-forcing:

dnsenum --enum -f subdomains.txt example.com

5. Using sublist3r

sublist3r is a popular Python-based tool for subdomain enumeration.

sublist3r -d example.com

Save output to a file:

sublist3r -d example.com -o output.txt

6. Using amass

amass is a robust tool for DNS enumeration and subdomain discovery.

amass enum -d example.com

Passive DNS Enumeration

amass enum -d example.com -passive

7. Using MassDNS

MassDNS is a high-performance DNS resolver useful for brute-forcing subdomains.

massdns -r resolvers.txt -t A -o S -w results.txt subdomains.txt

8. Focusing on Specific DNS Records

Records to Query

• NS (Name Server): Lists authoritative DNS servers for the domain.
• MX (Mail Exchange): Reveals mail servers for the domain.
• TXT: Often contains SPF, DKIM, or other information that may leak insights.
• CNAME: Reveals subdomains mapped to other domains.

Example with dig:

dig example.com NS
dig example.com MX
dig example.com TXT

Example for Subdomain Discovery

Combining brute force with a wordlist and dig:

for sub in $(cat subdomains.txt); do
  dig +short "$sub.example.com" | grep -v ";;" | grep -v "^$" && echo "$sub.example.com is valid"
don