DNS Tools

DNS Enumeration

Searching for DNS records and DNS related information is an important part of reconnaissance for a penetration tester. Obtaining information on DNS servers and DNS records provides the Pen Tester/Red Team/Attacker with a deeper understanding of the organisations network.

With DNS, it is not a 'one tool fits all' situation. You will need to use a variety of tools to gather the information. Hacker Target has a number of DNS related tools that gather different information. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with a GeoIP lookup.

DNS Lookup
The DNS Lookup tool does not perform any scan of the Zone file or perform any searching for subdomains. This tool simply performs a DNS lookup using these record types A, AAAA, MX, NS, CNAME, TXT, PTR & SOA against the target domain. The results will only show successful responses to the DNS query type.

DNS Lookup using

A :
AAAA : 2606:2800:220:1:248:1893:25c8:1946
MX : 0 .
NS :
NS :
TXT : "v=spf1 -all"
TXT : "8j5nfqld20zpcyr8xjw0ydcfq9rk8hgm"
SOA : 2020111712 7200 3600 1209600 3600
Find Subdomains / Host Records and Reverse DNS / PTR record
Subdomains from certificate transparency

In order to find host records for a domain (subdomains), we have DNS data sets that are compiled DNS data from various sources on the Internet. These searches are not performed live, as the DNS records are stored in our database.

Search for all known hosts of a domain in either the Host Search (A records) or the Reverse DNS search (PTR records). Alternatively, use the Reverse DNS Lookup tool to perform a live reverse DNS lookup on a range of IP addresses.

DNS Host Search:,,
Reverse DNS Search:,,,,,,,,,
Zone Transfer
The Zone Transfer tool attempts to perform a zone transfer against the DNS servers for a particular domain. This uses the type AXFR in an attempt to get a copy of the zone. For 99% of servers this will fail as it is a security risk to have zone transfers enabled from the Internet.

Zone transfer results using

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr
; (2 servers found)
;; global options: +cmd
; Transfer failed.

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr
; (2 servers found)
;; global options: +cmd
; Transfer failed.
Find Shared NS Servers
Find hosts sharing the same name servers. Can be used to identify all domains within an organisation allowing rapid expansion of the attack surface. In the example below, we see the discovery of related domains within the same organisation (different top level domains (tld) and root domains).


Wrapping up

The above information is a summary of what each of the services can do. Check out the individual tool pages for full details, including information on the API, membership quotas, and more detailed information.

Next Level Your Technical Network Intelligence

Use Cases and More Info

  • 13 Vulnerability Scanners
  • 17 Free DNS & Network Tools
  • 4+ Billion Records of DNS / IP data