It's easy to dismiss DNS as a backend utility that just makes connections happen, a static directory that simply points traffic where it needs to go. But in reality, it's a rich, and underused set of data sources for attack surface discovery.
In this article we’ll use a Threat Hunt example to go through a series practical DNS pivots with HackerTarget tools, showing how lookups, reverse searches, and zone transfers expose parts of a target’s online footprint that are often overlooked.
What is DNS Pivoting?
DNS pivoting is the process of using one piece of DNS information to discover additional assets and services. Attackers and defenders can use this technique to expand their view of an organisation’s exposed attack surface.
It's not a one-time task. DNS pivoting is cyclical and non-linear due to infrastructure changes, new services being spun up, and old ones decommissioned sometimes cleanly, sometimes leaving traces.
Different record types provide natural pivot points that expand recon. Following the trail from one record type to another can uncover systems that aren’t obvious from the main domain. Common pivots include:
| Common Pivot | What It Reveals |
|---|---|
| Shared DNS (NS) | Other domains using the same nameserver. |
| Reverse Lookups | Map IP addresses back to domains to find related assets. |
| Zone Transfers | Misconfigured name servers may leak an entire DNS zone file |
| MX / TXT / SPF | Mail and authentication records often point to third-party services. |
Each pivot from one record to the next helps build a wider map of systems that may be exposed or forgotten.
Security implications
This has real security implications. Missed DNS assets often translate into forgotten services. A few examples; staging servers, old applications, or third-party integrations that are still exposed to the internet. These are targets threat actors are on the look out for: staging systems can lack patches, old apps can run vulnerable code and any external dependencies bring risk and possible vulnerabilities outside of your control. Overlooked DNS assets that no longer point to active hosts can create issues such as subdomains an attacker might take over. Takeaway: overlooked DNS assets can become weak points even in well-defended environment.
Using HackerTarget Tools
HackerTarget.com provides tools that make DNS pivoting straightforward using the web tool or API
| Tool | Purpose | Use Case | API Endpoint |
|---|---|---|---|
| DNS Lookup | Perform lookups, trace records, and uncover related domains | Initial reconnaissance and domain analysis | api.hackertarget.com/dnslookup/?q=domain.com |
| Find DNS Host Records (Subdomains) | Discover subdomains linked to your target domain | Subdomain enumeration and attack surface mapping | api.hackertarget.com/hostsearch/?q=domain.com |
| Reverse IP | Identify all A records associated with an IP address | Find domains sharing the same hosting infrastructure | api.hackertarget.com/reverseiplookup/?q=1.2.3.4 |
| Reverse DNS | Find other domains sharing the same infrastructure | Infrastructure correlation and threat actor profiling | api.hackertarget.com/reversedns/?q=1.2.3.4 |
| Zone Transfer Test | Check for misconfigured name servers that leak entire DNS zones | Identify DNS misconfigurations and data exposure | api.hackertarget.com/zonetransfer/?q=domain.com |
| Domain Profiler | Combine DNS data with banner information for comprehensive analysis | Complete attack surface profiling and reconnaissance | Domain Profiler - Web Interface only |
| DNSDumpster | DNS reconnaissance with visual network mapping | Domain intelligence gathering and visualization | dnsdumpster.com (Web interface with downloadable results) |
Domain Profiler Advantages:
All pivots can be done manually, or automated in one run with the Domain Profiler
- Visual Mapping: Provides network diagrams showing relationships between domains, subdomains, and IP addresses
- Comprehensive Results: Combines multiple DNS reconnaissance techniques in a single interface
- Pivot to Vulnerability Identification: Feed IP's and Hosts directly into Port Scanners and other tools for real time status
- Export Options: Download results in various formats for further analysis and reporting
API Usage Notes:
- Rate Limiting: Free API access is limited to 100 queries per day. Consider API key registration for higher limits
- Authentication: No authentication required for basic queries. Optional API key available for increased rate limits and priority access
- Response Format: All endpoints return plain text responses by default. Some tools support JSON format by adding
&output=jsonparameter - Usage Example: "https://api.hackertarget.com/dnslookup/?q=example.com"
By chaining these tools together, you can replicate the pivoting process attackers use and build a more accurate picture of your exposure.
Example Scenario: Threat Hunting with HackerTarget's Tools
Imagine you are a security analyst who has identified a suspicious domain, malicious-example.com, from a recent phishing campaign. You need to investigate the full extent of the threat actor's infrastructure. In this case it all starts with the domain name malicious-example.com. The first step is to see what IP address(s) it resolves too.
Start with DNS Look up for Initial Recon:
Use the DNS Lookup tool (or use the API) to map a hostname to an IP address. This quick search reveals the current A record (IPV4 address) and AAAA record (IPV6) plus MX, NS, TXT, SOA and other records. So, even from this one query, we can see the web servers, mail routing, DNS provider, and verification tokens.
# Using the HackerTarget DNS Lookup web tool or API query: malicious-example.com A : 266.107.226.40 A : 266.107.223.40 AAAA : 2203:1030:20e:3::23c AAAA : 2203:1030:b:3::152 AAAA : 2203:1020:201:10::10f MX : 10 example-com.mail.protection.outlook.com. NS : ns3-39.azure-dns.org. NS : ns1-39.azure-dns.com. NS : ns4-39.azure-dns.info. TXT : mixpanel-example-verify=5803bc4c-5beb6-4ce1-8076-753800097373 TXT : fake-site-verification=123uFg3wr5PWg74nelV029RoXXBBUW0_E6qf1WEWVHhetkOY SOA : ns1-39.azure-dns.com. azuredns-hostmaster.example.com. 1 3600 220 2519200 300
Most importantly, a map of the target’s external footprint is starting to build. As a rule, attackers and penetration testers use DNS data to expand their view of a organisation’s infrastructure and understand its attack surface.
• Verify: check whether the exposed IPs and MX records match your asset inventory.
• Record: note verification tokens and provider info (TXT, MX, NS) for later pivots.
• Log: store all record types to build a baseline map of external services you can revisit.
Try to Expand with Zone Transfer
A Zone transfer goes further. If a name server is misconfigured it can leak the DNS Zone, possibly revealing the list of hostnames under the domain. Zone transfers aren’t common as most DNS providers and admins block them but when you do find one, it changes the recon game. Instead of brute forcing or pivoting slowly, you get the whole map in one hit.
# Using the HackerTarget Zone Transfer web tool or API query: malicious-example.com admin.malicious-example.com #likely sensitive, higher-value target. api.malicious-example.com #backend services, often overlooked in hardening. mail.malicious-example.com #communication system, possible target for credential attacks. staging.malicious-example.com #usually less secure than a production server.
The results above show admin portals, APIs, mail infrastructure, and a staging environment. Each of these expands the attack surface:
zonetransfer.me is intentionally left open for testing zone transfers. Use it with the our Zone Transfer tool to see what a full zone dump looks like.
• Flag misconfigured name servers (a critical issue to remediate).
• Prioritise sensitive hosts such as
admin, staging, and mail for further testing.• Store the full zone file as a reference for ongoing recon.
Passive DNS Pivot - IP to Domain:
From the IP address discovered earlier with the DNS Lookup tool (266.107.226.40) now try to find what hostnames point to that same IP. Two tools work here:
- Reverse DNS lookup : checks the PTR record (e.g webserver1.targetcorp.com)
- Reverse IP Lookup : lists all forward DNS records pointing to the same IP.
Reverse DNS shows a single PTR record, which often reflects internal naming conventions (webserver1 here). On its own, it doesn’t give much, but it confirms the IP is tied to the threat actor’s namespace.
# Using the HackerTarget Reverse DNS Lookup web tool or API query: 266.107.226.40 PTR : webserver1.malicious-example.com.
Reverse IP shows a broader picture and how the IP address is shared across multiple domains. Two of them: scam-example.net and fake-login.org look obviously malicious, linking the phishing campaign to other suspicious activity.
# Using the Reverse IP Lookup web tool or API query: 266.107.226.40 scam-example.net blog.malicious-example.com unrelated.org fake-login.org images.mscode.in
Also revealed is blog.malicious-example.com and other unrelated domains. Each hostname is another pivot. If it’s related to the threat actor (or target) the recon expands. If not, it's just noise (common when the attacker's or target’s site is on shared hosting).
This is where the circular nature of DNS pivoting comes in. A result from Reverse IP takes us back to a fresh DNS Lookup, where subtle relationships can be uncovered. For example:
# Using the HackerTarget DNS Lookup web tool or API
query: images.mscode.in
CNAME : cdn.malicious-example.com.
A : 266.107.223.40
AAAA : 2203:1030:b:3::152
In example above, the domain images.mscode.in doesn’t look related at first, but the lookup reveals a CNAME pointing to cdn.malicious-example.com on the same infrastructure. That small connection ties it back into the threat actor’s footprint and shows how pivots loop back around.
• Pivot on hostnames clearly tied to the target.
• Discard unrelated noise (shared hosting is common).
• Keep suspicious related domains logged for possible campaign links.
Shared DNS Infrastructure
In parallel with earlier pivots, the domains uncovered in the Reverse IP lookup should also be checked for shared DNS infrastructure, so lets check whether they also share the same name servers.
Start by running a DNS Lookup on each domain:
# Using the DNSLookup web tool or API query 1: malicious-example.com query 2: scam-example.net query 3: fake-login.org # Results (both domains share the same NS set) NS : ns1.badguyshosting.com.com NS : ns2.badguyshosting.com.com NS : ns3.badguyshosting.com.com
Since the 3 domains return the same common nameserver set, they’re tied to the same backend DNS setup.
From here, the analyst pivots on one of the shared nameservers (e.g. ns1) to expand the picture:
# Using the Find Shared DNS Servers web tool or API query: ns1.badguyshosting.com
Example output:
malicious-example.com scam-example-2.net fake-login.org phish-example-portal.org staging-app.net example-badservice.com
A single NS pivot now links multiple domains under the same provider. Some of these like fake-login.org and phish-example-portal.org belong to the phishing campaign. Others like staging-app.net and example-badservice.com may not be malicious but are logged for review later. These could turn out to be part of the same infrastructure cluster once more pivots are run.
• Group domains that share the same NS to map the cluster.
• Investigate suspicious ones now; log the rest for later.
• Use shared NS data to link scattered domains to one operator.
From Recon to Defense
For this scenario, the investigation pauses here. The analyst has built out a cluster of phishing domains, staging systems, and shared hosting evidence all tied to the same DNS infrastructure. With these findings logged, there’s enough to brief the defensive team.
Defensive Actions:
With this recon in hand, Defenders can:
- Expand the scope: link one phishing site to a broader set of malicious infrastructure (scam-example.net, fake-login.org, and all the domains from the shared name server lookup).
- Proactively Defend: Block the discovered domains and IPs at firewalls and network security appliances, preventing future attacks from the same actor.
- Enhance Intelligence: Document the badguyshosting.com name servers as a known indicator of compromise (IOC).
Conclusion
DNS pivoting is an essential technique for any cybersecurity professional performing reconnaissance. Every pivot explored: lookup, reverse lookup, subdomain discovery, zone transfer, shared DNS, and analysing record details, plays a role in uncovering hidden infrastructure that otherwise evades detection. Use them in combination, use them iteratively, and use them creatively. Start from one tiny DNS clue and snowball it into a complete picture of a target’s external network. The more knowledge gathered in recon, the better prepared for the next phases of any security assessment.
If you run this workflow regularly, the Domain Profiler saves hours of manual pivoting.
It produces consistent, reproducible output in multiple formats (XLSX, dashboard, visual maps)
ready to hand to defenders or drop straight into SIEMs and reporting.
Try Domain Profiler