Use HackerTarget DNS tools to inspect public DNS records, find known hostnames, check reverse DNS, test zone transfers, and identify shared DNS infrastructure.
DNS data helps blue teams, system administrators, penetration testers, and red teams understand data such as;
- how domains resolve
- where services are hosted
- which name servers are authoritative
- infrastructure is exposed to the Internet
DNS Lookup and Discovery Tools
Use the tools below to focus on DNS records, host discovery, reverse lookups, zone transfer testing, and shared name server searches. Use them individually for quick checks, or combine the results when reviewing a domain’s public-facing infrastructure.
1. Start with DNS records
Use DNS Lookup to query common DNS record types for a domain. The tool checks records including A, AAAA, MX, NS, CNAME, TXT, PTR and SOA, returning the records that resolve successfully.
This is the starting point for reviewing where a domain points, which mail servers are configured, which name servers are authoritative, and what DNS-based service records or verification records are visible.
A : 93.184.216.34 AAAA : 2606:2800:220:1:248:1893:25c8:1946 MX : 0 . NS : a.iana-servers.net. NS : b.iana-servers.net. TXT : "v=spf1 -all" TXT : "8j5nfqld20zpcyr8xjw0ydcfq9rk8hgm" SOA : ns.icann.org. noc.dns.icann.org. 2020111712 7200 3600 1209600 3600
2. Find host records and subdomains
Use Find DNS Host Records to search HackerTarget's DNS data for known hostnames associated with a domain. This can help identify subdomains, web applications, mail hosts, VPN portals, development systems, and other named services connected to the target domain.
This search uses known DNS data collected from multiple sources and returns hostnames and IP addresses that have been observed for the domain.
example.com,93.184.216.34 www.example.com,93.184.216.34
3. Check reverse DNS records
Use Reverse DNS Lookup to query PTR records for an IP address or IP range. Reverse DNS can expose hostname patterns, infrastructure naming conventions, hosting providers, and systems that may not be obvious from the original domain lookup.
This is useful after DNS Lookup or Host Search has returned IP addresses and you want to see how those addresses identify themselves through reverse DNS.
server1.example.com,103.16.140.120 server1.example.com,103.18.108.35 dns1.example.com,103.193.36.10 dns2.example.com,103.193.36.20 dns1.example.com,103.196.157.10 dns2.example.com,103.196.157.20 dns1.example.com,103.198.83.10 dns2.example.com,103.198.83.20 vps63.example.com,103.6.85.104
4. Find domains sharing an IP address
Use Reverse IP Lookup to find other domains that have pointed to the same IP address. This can help identify shared hosting, related domains, parked domains, legacy sites, or other web properties using the same infrastructure.
Reverse IP results should be reviewed carefully. Domains sharing an IP address are not always owned by the same organisation, especially on shared hosting, CDN, or cloud platforms.
lifesciencelabs.uk example.uk ekhuft.example.org.uk ekhuft-api.collabor8.org.uk www.isec2005.org.uk panoramallama.us socolive8.us truearchive.us 333911.vip
5. Check for exposed DNS zone transfers
Use Zone Transfer to test whether a domain's authoritative name servers allow external AXFR requests. Most name servers should block zone transfers from the Internet, but a misconfigured server may expose the full DNS zone.
When successful, a zone transfer can reveal a much larger set of hostnames than standard DNS lookups. When blocked, the result is still useful because it confirms the name servers are not allowing unauthorised zone transfers.
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @a.iana-servers.net example.com ; (2 servers found) ;; global options: +cmd ; Transfer failed. ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @b.iana-servers.net example.com ; (2 servers found) ;; global options: +cmd ; Transfer failed.
6. Find domains using the same name servers
Use Find Shared DNS Servers to identify domains that use the same name server. This can help uncover related domains, secondary brands, older projects, or infrastructure grouped under the same DNS provider or administrative pattern.
As with Reverse IP Lookup, shared name servers are a pivot point rather than proof of ownership. Results should be validated before assuming the domains belong to the same organisation.
example.com example.co.uk examplenetwork.ca
Using these tools with the API
These DNS tools are also available through the HackerTarget API. See the API documentation for endpoints, examples, limits, and response formats.
DNS tools workflow example
The tools can be used individually, or chained together during DNS pivoting.
See our guide to DNS pivoting and attack surface discovery for a practical walkthrough using HackerTarget DNS tools.
DNS Tools FAQ
What is the difference between Reverse DNS and Reverse IP Lookup?
Reverse DNS Lookup queries PTR records for an IP address or IP range. Reverse IP Lookup finds domains that have been associated with the same IP address.
What makes HackerTarget Find DNS Host Records different from a standard DNS lookup?
A standard DNS lookup queries live DNS records for a specific domain or hostname. HackerTarget Find DNS Host Records searches HackerTarget's collected DNS data for known hostnames and subdomains associated with a domain. This can help identify observed hosts such as web applications, mail servers, VPN portals, development systems, and other named services that may not appear in a basic DNS lookup.
Are shared IP addresses proof that domains are related?
No. Shared IP addresses can appear because of shared hosting, CDN infrastructure, cloud platforms, or managed hosting. Treat Reverse IP results as leads to validate.
Can I use HackerTarget DNS tools with the API?
Many HackerTarget DNS tools are available through the API. See the API documentation for endpoints, examples, limits, and response formats.
Conclusion
The above information is a summary of what each of the services can do. Check out the individual tool pages for full details, including information on the API, membership quotas, and more detail.
Next Level Your Technical Network Intelligence
- 13 Vulnerability Scanners
- 17 Free DNS & Network Tools
- 4+ Billion Records of DNS / IP data