Collecting information about domain records like A, MX, CNAME, and TXT is simple and useful when using nslookup for DNS enumeration. Below is a step-by-step guide on how to leverage nslookup for DNS enumeration:
1. Launching nslookup
Open your terminal or command prompt and type:
nslookup
This starts the tool in interactive mode.
2. Setting the Record Type
To query specific DNS record types, use the set type=<record> command. Some common types include:
- A: IPv4 address of the domain
- MX: Mail exchange records
- CNAME: Canonical names or aliases
- TXT: Text records (e.g., SPF, DKIM)
Examples:
Set to A records:
> set type=a
Set to MX records:
> set type=mx
Set to TXT records:
> set type=txt
3. Querying the Domain
Once the type is set, query the target domain by entering the domain name. For example:
> example.com
Example Output for A Record:
Name: example.com
Address: 93.184.216.34
Example Output for MX Record:
example.com mail exchanger = 10 mail.example.com
4. Querying Nameservers
Nameservers (NS records) provide information about which servers are authoritative for the domain.
Set the query type to NS:
> set type=ns
Query the domain:
> example.com
Example Output:
example.com nameserver = ns1.example.com
example.com nameserver = ns2.example.com
5. Checking CNAME Records
CNAME records reveal aliases for the domain.
Set the query type to CNAME:
> set type=cname
Query the domain or subdomain:
> www.example.com
Example Output:
www.example.com canonical name = example.com
6. Discovering TXT Records
TXT records often include configuration details for email (SPF, DKIM) or other domain settings.
Set the query type to TXT:
> set type=txt
Query the domain:
> example.com
Example Output:
example.com text = "v=spf1 include:_spf.google.com ~all"
7. Using Non-Interactive Mode
You can also use nslookup in non-interactive mode by combining commands directly:
nslookup -type=mx example.com
Example Output:
example.com mail exchanger = 10 mail.example.com
8. Changing DNS Servers
You can point nslookup to use a specific DNS server for queries. This is useful for verifying results or testing external servers.
Set the server:
> server 8.8.8.8
Query as usual:
> example.com
9. Attempting Zone Transfers
Zone transfers can reveal the entire DNS zone file (all subdomains and records) if allowed.
Set the DNS server to the target nameserver:
> server ns1.example.com
Attempt a zone transfer:
> ls -d example.com
Note: Most modern DNS servers block zone transfers for security reasons.
10. Exiting nslookup
To exit interactive mode, type:
> exit
Example Workflow
Find NS records to identify authoritative nameservers:
> set type=ns
> example.com
Query MX records to identify mail servers:
> set type=mx
> example.com
Check TXT records for configurations:
> set type=txt
> example.com
Look for CNAME records for aliases:
> set type=cname
> www.example.com
