> For the complete documentation index, see [llms.txt](https://intrusionz3r0.gitbook.io/intrusionz3r0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intrusionz3r0.gitbook.io/intrusionz3r0/enumeration/53-dns-enumeration.md).

# \[53] DNS Enumeration

| **DNS Concept**             | **Description**                                                                  | **Example**                                                                                                                             |
| --------------------------- | -------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| `Domain Name`               | A human-readable label for a website or other internet resource.                 | `www.example.com`                                                                                                                       |
| `IP Address`                | A unique numerical identifier assigned to each device connected to the internet. | `192.0.2.1`                                                                                                                             |
| `DNS Resolver`              | A server that translates domain names into IP addresses.                         | Your ISP's DNS server or public resolvers like Google DNS (`8.8.8.8`)                                                                   |
| `Root Name Server`          | The top-level servers in the DNS hierarchy.                                      | There are 13 root servers worldwide, named A-M: `a.root-servers.net`                                                                    |
| `TLD Name Server`           | Servers responsible for specific top-level domains (e.g., .com, .org).           | [Verisign](https://en.wikipedia.org/wiki/Verisign) for `.com`, [PIR](https://en.wikipedia.org/wiki/Public_Interest_Registry) for `.org` |
| `Authoritative Name Server` | The server that holds the actual IP address for a domain.                        | Often managed by hosting providers or domain registrars.                                                                                |
| `DNS Record Types`          | Different types of information stored in DNS.                                    | A, AAAA, CNAME, MX, NS, TXT, etc.                                                                                                       |

| **Record Type** | **Full Name**             | **Description**                                                                                                                             | **Zone File Example**                                                                          |
| --------------- | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| `A`             | Address Record            | Maps a hostname to its IPv4 address.                                                                                                        | `www.example.com.` IN A `192.0.2.1`                                                            |
| `AAAA`          | IPv6 Address Record       | Maps a hostname to its IPv6 address.                                                                                                        | `www.example.com.` IN AAAA `2001:db8:85a3::8a2e:370:7334`                                      |
| `CNAME`         | Canonical Name Record     | Creates an alias for a hostname, pointing it to another hostname.                                                                           | `blog.example.com.` IN CNAME `webserver.example.net.`                                          |
| `MX`            | Mail Exchange Record      | Specifies the mail server(s) responsible for handling email for the domain.                                                                 | `example.com.` IN MX 10 `mail.example.com.`                                                    |
| `NS`            | Name Server Record        | Delegates a DNS zone to a specific authoritative name server.                                                                               | `example.com.` IN NS `ns1.example.com.`                                                        |
| `TXT`           | Text Record               | Stores arbitrary text information, often used for domain verification or security policies.                                                 | `example.com.` IN TXT `"v=spf1 mx -all"` (SPF record)                                          |
| `SOA`           | Start of Authority Record | Specifies administrative information about a DNS zone, including the primary name server, responsible person's email, and other parameters. | `example.com.` IN SOA `ns1.example.com. admin.example.com. 2024060301 10800 3600 604800 86400` |
| `SRV`           | Service Record            | Defines the hostname and port number for specific services.                                                                                 | `_sip._udp.example.com.` IN SRV 10 5 5060 `sipserver.example.com.`                             |
| `PTR`           | Pointer Record            | Used for reverse DNS lookups, mapping an IP address to a hostname.                                                                          | `1.2.0.192.in-addr.arpa.` IN PTR `www.example.com.`                                            |

### **Common dig Commands**

| **Command**                     | **Description**                                                                                                                                                                                      |
| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `dig domain.com`                | Performs a default A record lookup for the domain.                                                                                                                                                   |
| `dig domain.com A`              | Retrieves the IPv4 address (A record) associated with the domain.                                                                                                                                    |
| `dig domain.com AAAA`           | Retrieves the IPv6 address (AAAA record) associated with the domain.                                                                                                                                 |
| `dig domain.com MX`             | Finds the mail servers (MX records) responsible for the domain.                                                                                                                                      |
| `dig domain.com NS`             | Identifies the authoritative name servers for the domain.                                                                                                                                            |
| `dig domain.com TXT`            | Retrieves any TXT records associated with the domain.                                                                                                                                                |
| `dig domain.com CNAME`          | Retrieves the canonical name (CNAME) record for the domain.                                                                                                                                          |
| `dig domain.com SOA`            | Retrieves the start of authority (SOA) record for the domain.                                                                                                                                        |
| `dig @1.1.1.1 domain.com`       | Specifies a specific name server to query; in this case 1.1.1.1                                                                                                                                      |
| `dig +trace domain.com`         | Shows the full path of DNS resolution.                                                                                                                                                               |
| `dig -x 192.168.1.1`            | Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server.                                                                     |
| `dig +short domain.com`         | Provides a short, concise answer to the query.                                                                                                                                                       |
| `dig +noall +answer domain.com` | Displays only the answer section of the query output.                                                                                                                                                |
| `dig domain.com ANY`            | Retrieves all available DNS records for the domain (Note: Many DNS servers ignore `ANY` queries to reduce load and prevent abuse, as per [RFC 8482](https://datatracker.ietf.org/doc/html/rfc8482)). |

```sql
#Subdomain Bruteforcing
Intrusionz3r0X@htb[/htb]$ dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r

#Reverse lookup
Intrusionz3r0X@htb[/htb]$ nslookup            
> SERVER 10.10.10.29
> 127.0.0.1
> 10.10.10.29 #Revere 

#Reverse lookup with dig
dig @10.10.10.10 -x 10.10.10.10 +short

Intrusionz3r0X@htb[/htb]$ dnsrecon -r 127.0.0.1/24 -n 10.10.10.29
Intrusionz3r0X@htb[/htb]$ dnsenum --dnsserver 10.10.10.248 -f /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -o scans/dnsenum-bitquark-intelligence.htb intelligence.htb

# AXFR Zone Transfer
Intrusionz3r0X@htb[/htb]$ dig axfr inlanefreight.htb @10.129.22.217 | grep -oP "\w*\.inlanefreight.htb" | sort -u > subdomains.txt
Intrusionz3r0X@htb[/htb]$ dig axfr @<DNS_IP> #Try zone transfer without domain

# Query A Records
Intrusionz3r0X@htb[/htb]$ nslookup facebook.com
Intrusionz3r0X@htb[/htb]$ dig facebook.com @1.1.1.1
Intrusionz3r0X@htb[/htb]$ dig +short @10.10.11.205 cerberus.local

#Querying: A Records for a Subdomain
Intrusionz3r0X@htb[/htb]$ nslookup -query=A www.facebook.com

#Querying: PTR Records for an IP Address
Intrusionz3r0X@htb[/htb]$ nslookup -query=PTR 31.13.92.36
Intrusionz3r0X@htb[/htb]$ dig -x 31.13.92.36 @1.1.1.1

#Querying: ANY Existing Records
Intrusionz3r0X@htb[/htb]$ nslookup -query=ANY facebook.com
Intrusionz3r0X@htb[/htb]$ dig any google.com @8.8.8.8

#Querying: TXT Records
Intrusionz3r0X@htb[/htb]$ nslookup -query=TXT facebook.com
Intrusionz3r0X@htb[/htb]$ dig txt facebook.com @1.1.1.1

#Querying: MX Records
Intrusionz3r0X@htb[/htb]$ nslookup -query=MX facebook.com
Intrusionz3r0X@htb[/htb]$ dig mx facebook.com @1.1.1.1

#Get information about specific domain/ip
Intrusionz3r0X@htb[/htb]$ whois 157.240.199.35

#Subdomain Brute Forcing
Intrusionz3r0X@htb[/htb]$ for sub in $(cat /usr/share/secLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
Intrusionz3r0X@htb[/htb]$ dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

#Count the A register (for fun)
Intrusionz3r0X@htb[/htb]$ echo $(($(dig axfr inlanefreight.htb @10.129.22.217 | column -t | awk '{print $5}' | grep -oP "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}" | wc -l)+$(dig axfr internal.inlanefreight.htb @10.129.22.217 | column -t | awk '{print $5}' | grep -oP "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}" | wc -l)))

#Automatic tool to enumerate
Intrusionz3r0X@htb[/htb]$ fierce --domain zonetransfer.me

#Enumerate subdomainms
Intrusionz3r0X@htb[/htb]$ ./subfinder -d inlanefreight.com -v    

Intrusionz3r0X@htb[/htb]$ git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
Intrusionz3r0X@htb[/htb]$ cd subbrute
Intrusionz3r0X@htb[/htb]$ echo "ns1.inlanefreight.com" > ./resolvers.txt
Intrusionz3r0X@htb[/htb]$ ./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt
```

### **DomainTakeOver**

`Domain takeover` is registering a non-existent domain name to gain control over another domain. If attackers find an expired domain, they can claim that domain to perform further attacks such as hosting malicious content on a website or sending a phishing email leveraging the claimed domain.

Tool:

<https://github.com/EdOverflow/can-i-take-over-xyz>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/enumeration/53-dns-enumeration.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
