Skip to content

DNS

DNS Enumeration Cheat Sheet

Basic DNS Lookup Commands
Options Commands Description
nslookup $domain Basic DNS query using nslookup
dig $domain Basic DNS query using dig
ANY dig ANY $domain Retrieve all available DNS records for a domain
host $domain Simple DNS lookup using the host command
Advanced DNS Enumeration
Options Commands Description
-x dig -x $ip_address Perform a reverse DNS lookup to find the domain associated with an IP
AXFR dig AXFR $domain @$nameserver Attempt a DNS zone transfer to enumerate all DNS records in the zone
-t MX dig $domain -t MX Query for Mail Exchange (MX) records
-t TXT dig $domain -t TXT Query for Text (TXT) records (e.g., SPF, DKIM, etc.)
-t SRV dig $domain -t SRV Query for Service (SRV) records
nslookup -type=SRV _service._protocol.$domain Query for specific SRV records using nslookup
DNS Enumeration Tools
Options Commands Description
dnsenum $domain Perform comprehensive DNS enumeration, including subdomains, MX, and zone transfers
fierce --domain $domain Perform DNS enumeration, focusing on finding subdomains and zone transfers
dnsrecon -d $domain Perform DNS enumeration with multiple query types and zone transfer attempts
sublist3r -d $domain Enumerate subdomains using Sublist3r
amass enum -d $domain Perform extensive DNS enumeration with Amass
Brute Forcing DNS
Options Commands Description
-f subdomains.txt dnsrecon -d $domain -D subdomains.txt -t brt Brute force subdomains using DNSRecon and a custom wordlist
dnsdict6 $domain Perform DNS brute forcing using dnsdict6
nmap -p 53 --script dns-brute $domain Use Nmap to brute force DNS subdomains
Analyzing DNS Security
Options Commands Description
dnstools $domain A set of tools for analyzing DNS configurations and potential vulnerabilities
dnsrecon -d $domain -t zonewalk Check for DNSSEC Zone Walking vulnerabilities
dig +short $domain TXT Retrieve TXT records to analyze DNS security settings like SPF and DKIM