• Subscribe to the low volume list for updates.

DNS Tools

DNS Enumeration

Searching for DNS records and DNS related information is an important part of reconnaissance for a penetration tester. Obtaining information regarding DNS servers and DNS records provides the Pen Tester/Red Team/Attacker with a deeper understanding of the organisations network.

With DNS it is not a 'one tool fits all' situation. You will need to use a variety of tools to gather the information. Hacker Target has a number of DNS related tools that gather different information. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with a GeoIP lookup.

DNS Lookup
Does not perform any scan of the Zone file or perform any searching for subdomains. This tool simply performs a DNS lookup using these record types A, AAAA, MX, NS, CNAME, TXT, PTR & SOA against the target domain. The results will only show successful responses to the DNS query type.

DNS Lookup using example.com

A : 93.184.216.34
AAAA : 2606:2800:220:1:248:1893:25c8:1946
MX : 0 .
NS : a.iana-servers.net.
NS : b.iana-servers.net.
TXT : "v=spf1 -all"
TXT : "8j5nfqld20zpcyr8xjw0ydcfq9rk8hgm"
SOA : ns.icann.org. noc.dns.icann.org. 2020111712 7200 3600 1209600 3600
Find Subdomains / Host Records and Reverse DNS / PTR record
In order to find host records for a domain (subdomains), we have DNS data sets that are compiled DNS data from various sources on the Internet. These searches are not performed live as the DNS records are stored in our database.

Search for all known hosts of a domain in either the Host Search (A records) or the Reverse DNS search (PTR records). Alternatively use the Reverse DNS tool to perform a live reverse DNS lookup on a range of IP addresses.

DNS Host Search:

example.com,93.184.216.34
www.example.com,93.184.216.34
Reverse DNS Search:

server1.example.com,103.16.140.120
server1.example.com,103.18.108.35
dns1.example.com,103.193.36.10
dns2.example.com,103.193.36.20
dns1.example.com,103.196.157.10
dns2.example.com,103.196.157.20
dns1.example.com,103.198.83.10
dns2.example.com,103.198.83.20
vps63.example.com,103.6.85.104
Zone Transfer
This tool attempts to perform a zone transfer against the DNS servers for a particular domain. This uses the type AXFR in an attempt to get a copy of the zone. For 99% of servers this will fail as it is a security risk to have zone transfers enabled from the Internet.

Zone transfer results using example.com:

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @a.iana-servers.net example.com
; (2 servers found)
;; global options: +cmd
; Transfer failed.


; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> axfr @b.iana-servers.net example.com
; (2 servers found)
;; global options: +cmd
; Transfer failed.
Find Shared NS Servers
Find hosts sharing the same name server. Can be used to identify all domains within an organisation allowing rapid expansion of the attack surface. In the example below we see the discovery of related domains within the same organisation (different top level domains (tld) and root domains).

Using ns1.example.com

example.com
example.co.uk
examplenetwork.ca

Wrapping up

The above information is a summary of what each of the services can do. Check out the individual tool pages for full details, including information on the API, membership quotas, and more detailed information.

Below is a flowchart of the network discovery process. Notice its cyclic behaviour and the areas where these DNS tools will iteratively expand the attack surface.

Overview of the Network Discovery Process

flowchart of domain reconnaissance