Appearance
DNS Enumeration ​
Enumeration ​
Basic Record Queries ​
bash
dig A example.com
dig AAAA example.com
dig CNAME example.com # Canonical name (alias)bash
dig MX example.com
dig TXT example.com # Text data (e.g. SPF, DKIM, verification)
dig CAA example.com # Certificate authority authorizationAuthority & Reverse Lookup ​
bash
dig NS example.com # Name Server
dig SOA example.com # Admin info
nslookup 1.2.3.4 # DNS lookup
dig -x 1.2.3.4
dig PTR 1.2.3.4.in-addr.arpa # Pointer Recode: Reverse DNS (IP to name)Discovery - Transfer (AXFR) ​
bash
# Transfer
nmap -p 53 --script=dns-zone-transfer example.com
dig AXFR example.com @ns1.example.com # DNS NS
# DNS zone transfer (AXFR) on a specific IP and non-standard port
dig AXFR sub.example.com @x.x.x.x -p 54010 +tcp # tcp used by default, but can be forcedIf successful, exposes the full DNS zone (misconfiguration).
Service Discovery (SRV Records) ​
bash
# Standard services
_kerberos._tcp.example.com
_ldap._tcp.example.com
_sip._tcp.example.com
_xmpp-server._tcp.example.com
_cifs._tcp.example.com
# Active Directory specifics
_ldap._tcp.pdc._msdcs.example.com # Principal Domain Controller
_ldap._tcp.dc._msdcs.example.com # All Domain Controllers
gc._msdcs.example.com # Global Catalog
_kerberos._tcp.dc._msdcs.example.com # Kerberos for all DCs🛠️ Tools ​
bash
# dig
dig SRV _ldap._tcp.example.combash
# nslookup
nslookup -type=srv _kerberos._tcp.example.combash
nmap -p 53 --script=dns-srv-enum --script-args "dns-srv-enum.domain=example.com"Useful in internal networks (e.g. Active Directory) to discover services.
Brute-force & Fingerprinting ​
bash
# Discovery
nmap --script dns-brute -Pn -p 53 example.com # brute-force DNS (wordlist)
nmap -p 53 --script=dns-nsid example.com # Get DNS fingerprintUtils ​
bash
dig @8.8.8.8 example.com
dig @8.8.8.8 A example.com # Querying Specific DNS ServerDebug / Trace ​
bash
dig +trace example.com
dig ANY example.com
nslookup example.comPropagation & Validation ​
- dnschecker.org Check DNS record propagation worldwide (A, NS, CNAME, etc.)
- whatsmydns.net Visual DNS propagation from multiple global resolvers
- digwebinterface.com
bash
# Trace DNS from root to authoritative server
dig +trace foo.example.com
# Query specific DNS server by name or IP
dig @ns1.example.com foo.example.com
dig @192.0.2.1 foo.example.com
# Check domain registrar NS configuration
whois example.com | grep -i "ns1.example.com"
# Monitor incoming DNS requests on your server
sudo tcpdump -i any port 53Others ​
bash
host example.com
whois example.com
dig example.com +ttlunits # Get TTL informations
dig +nocmd +noquestion +nocomments +nostats example.com # DNS Header to debug
curl 'https://dns.google/resolve?name=example.com&type=A' | jq # Get DNS informations with google service
# Optionnel (systemd)
resolvectl query example.com