Find all Forward DNS (
A) records for a domain. Enter a domain name and search for all subdomains associated with that domain. A handy reconnaissance tool when assessing an organisations security.
Recon: Find your targets with a DNS (A) record search
Use this hostname search to find all the forward DNS records (A records) for an organisation. Results are limited to a max of 2000 results. Try the domain profiler tool to get a full listing with additional meta data from the discovered hosts.
A forward DNS record (or A record) is used to determine an IP address from a human readable hostname. By searching all forward DNS records for a domain, attackers (or security penetration testers) can begin to understand the layout of an organisations Internet footprint. This type of reconnaissance can discover a wide range of hosts from multiple IP net blocks that can contain a wide range of services. With a good understanding of the perimeter the discovered systems can be assessed for security weak spots. The more hosts found the wider the potential attack surface.
Forward DNS Hostname Search
The only function within the DNS protocol to identify all (A) records associated with a domain is to perform a DNS Zone Transfer. This zone transfer is a process that allows replication of DNS data between two DNS servers. However, it is deemed to be a security risk to leak all that DNS data so a properly configured DNS server should not allow a DNS zone transfer to non-authorized hosts.
Since it is likely that a DNS zone transfer will not work, we need another way to identify all the hosts associated with a domain. This discovery process can use a number of resources such as search engines, DNS data sets, brute forcing or crawling to enumerate subdomains.
Subdomain Enumeration from Search Engines
Search engines are a popular subdomain enumeration technique. Advantages of this method are that it is a passive search, in other words you are not sending any traffic to the target network or DNS servers. The search engine returns a list of results that contain the domain you are searching on. An example using Google is to perform the following query:
This will show all results from Google that contain the domain
site.com. As it is likely that there are many results on
www.example.com we can refine the search with the following query.
This will filter the
www.example.com domain from the results, perhaps revealing a number of more interesting subdomains to target.
Brute Forcing Subdomains
A number of DNS enumeration tools and scripts are available that will simply take a list of keywords (potential subdomains) and attempt to resolve these against the target domain. This is not an entirely passive undertaking as the DNS resolution goes to the target domains DNS server and results in many failed lookups.
If someone is closely monitoring the DNS server of the target domain they will be able to detect that someone is performing a brute force subdomain scan against the domain.
There are a number of tools that can perform this enumeration, if you have Nmap installed there is an NSE script that will perform a DNS subdomain brute force (dns-brute).
DNS and SSL Data Sets for Subdomain Enumeration
The data we use to find host records here at hackertarget.com is sourced from a number of excellent projects as well as Internet search engines.
Scans.io is a project supported by Rapid 7 that compiles Internet scan data as well as DNS data sets, including both forward and reverse DNS records. By searching through the Forward DNS data set we can find all subdomains in the list that match a domain name query.
Another project is the censys.io project. This project from the University of Michigan also compiles a large amount of Internet scan data as well SSL data. Searching the SSL records can reveal hostnames of target domains. There is an API available or the full data sets can be downloaded.
Certificate transparency logs are yet another excellent source of host data. A project that allows browsers to confirm the validity of SSL certificates in near real time. Certificate transparency also happens to be an excellent source for perfoming reconnasance against target domains.
Related IP Tools
We have a number of other related tools in our IP Tools suite that may be of interest. The Reverse DNS Lookup enables searching reverse PTR records for a domain and the Reverse IP search identifies hosts sharing an IP address. By combining these tools it should be possible to get a very good indication of where an organisations Internet systems are located both from IP address and physical location if used in conjunction with GeoIP lookups.
Use the Domain Profiler tool to perform automated reconnaissance against a domain name. This provides a quick overview of an organisations Internet facing infrastructure within a few minutes.
Results are collected passively; no packets are sent against the target IP ranges resulting in a very stealthy way to assess an organizations perimeter.
Forward DNS search API
Rather than using the form above you can also access the forward DNS tool using the API. The output is simply plain text and will include the IP address and the forward DNS host name. Data from the tool can be easily imported into a spreadsheet or other tool for reference purposes.
This query will display the forward DNS records discovered using the data sets outlined above.
Discover, Explore, Learn.