An Introduction to DNS Enumeration Tools and Techniques

· Introduction
· DNS Enumeration Tools and Techniques
∘ Nslookup
∘ Host
∘ Dig
∘ Fierce
∘ WHOIS
∘ DNSEnum
∘ Knockpy
∘ Subfinder
∘ Sublist3r
∘ DNSRecon
∘ Amass
∘ Recon-NG
∘ theHarvester
∘ Nmap
∘ Metasploit
· Conclusion
· Further Reading

Greetings, Cyber Mavericks!

This article is the first of a series of articles covering the use of DNS enumeration during the reconnaissance, exploitation, and post-exploitation phases of a penetration test.

Why DNS enumeration? Because sometimes the easiest way to find the key to the kingdom is to knock on the front door!”

In this first article, I will cover the basics of DNS enumeration, exploring the multitude of tools available to us during the reconnaissance phase.
The goal is not to make you a DNS ninja but to introduce you to the vast subject of DNS enumeration and its significance.

To keep the article shorter, I have written a separate article, sharing my
10 DNS Enumeration Tips & Tricks.

DNS (Domain Name System) is a protocol used to translate human-readable domain names into IP addresses that computers can understand.

I am assuming that you know the basics of how DNS works before you discover the ways of DNS Enumeration. If not, I got you covered.
Check out this DNS primer by Daniel Miessler for a great introduction to DNS.

The table below is a short and quick refresher for the main DNS Record Types and their purpose.

DNS enumeration is the process of discovering all the DNS records associated with a domain. It can provide ethical hackers with valuable information during the reconnaissance phase of a penetration test, as it can uncover subdomains, IP addresses, and other information that may be useful for further analysis, mapping the infrastructure, identifying potential vulnerable targets and planning attack paths.

The goal of DNS Enumeration is to discover all the DNS servers, subdomains, and other DNS-related information associated with the target. DNS enumeration can be performed manually, but it is a time-consuming and error-prone process. Hence, it is recommended to use automated tools and techniques to perform DNS enumeration.

In this article, we’ll provide an overview of DNS enumeration, discuss its significance in penetration testing, and explore popular tools and basic techniques used in the process. More techniques and or advanced topics will be covered in future articles.

The Importance of DNS Reconnaissance

DNS enumeration is a crucial part of the reconnaissance phase in penetration testing. It allows ethical hackers to build a complete picture of the target network’s infrastructure and identify potential attack vectors.

Some of the objectives of DNS enumeration include:

1. Identifying all the DNS servers and their configurations.
2. Discovering subdomains and other associated domains.
3. Mapping network topologies and identifying potential vulnerabilities.
4. Gathering email server information and identifying email security issues.
5. Identifying DNS-related misconfigurations and weaknesses that could exploited in attacks.

In short, DNS enumeration provides valuable insights into the target network’s infrastructure that can be used to develop attack plans.

High-level Overview of the Process

The DNS enumeration process involves identifying the target domain, collecting information about it, and performing various DNS queries to obtain more information. The process can be broken down into the following steps:

1. Identify the target domain — This involves identifying the domain name of the target network.
2. Collect information about the target domain — This involves using techniques like Google Dorking, social engineering, and passive DNS to collect information about the target.
3. Perform DNS queries — This involves using various tools and techniques to perform DNS queries to extract more information about the target domain’s infrastructure.

DNS enumeration techniques can be divided into two categories:

• Passive enumeration involves collecting information about the target domain without directly querying its DNS servers.
• Active enumeration involves performing DNS queries directly against the target DNS servers.

There are various techniques used for DNS enumeration, including zone transfers, reverse lookups, brute force, and dictionary attacks.
Before we dive into the more advanced topics, let’s establish some basic tools and techniques for DNS discovery and enumeration.
In this article, I will introduce you to some of the most commonly used tools.

Experienced Penetration Testers usually develop a preference for one or more tools. I would still recommend trying all the tools discussed in this article and getting familiar with them before you make your choice.

Let’s take care of some prerequisites first before you start using the DNS enumeration tools. You’ll need the following:

• Linux Pentesting distribution: Kali Linux or Parrot OS are the gold standard for penetration testing and usually come preloaded with the majority of the DNS recon tools. Alternatively, you can use any Linux distro and install the tools manually.
• Dependencies: some tools such as Knockpy have a dependency on Python3 and Git. If not present on your machine, you’ll need to install them first using your distribution’s package manager. Below, is an example of how to install those on Kali or other Debian-based systems such as Ubuntu.

$ python3 --version
$ sudo apt update
$ sudo apt install python3 git

• Linux-fu: some basic Linux command-line skills are required to edit files, and redirect input/output. It’s not a deal-breaker but it is a major advantage. Invest in learning Linux using the terminal. I recommend the following book for beginners: Linux Basics for Hackers.
• Note-taking app: a decent note-taking app and a system to organize all your collected information and findings. This step is crucial.
  Any note-taking app would do. Notion.so (web-based) or CherryTree (Kali app) are my favorites.
• Coffee: yes, coffee. You *NEED* coffee! If you are not a coffee drinker, this tutorial is just not for you! Just kidding :)

WARNING!
While most DNS enumeration techniques are passive in nature, please exercise commonsense and caution when using some tools or options that may be active (communicating with the target’s DNS servers).

For example, brute-forcing , fuzzing sub-domains or zone transfers are *not* passive and could overwhelm the DNS server and cause a Denial-of-Service or in the worst case scenario, be picked up by security monitoring tools and considered an attack on the target's infrastructure.

It goes without saying that the author is not responsible for what you choose to do with the techniques explained in this article.

Without further ado, here are the tools and some examples of how to perform DNS reconnaissance.

Nslookup

nslookup is a command-line tool that is used to query DNS servers interactively. It is the most common tool for mapping domain names to IP addresses and is available by default on all major operating systems such as Windows, Mac, and Linux platforms.

nslookup <DOMAIN>

This will query the default DNS server for information about the Forward DNS lookup for the domain rhul.ac.uk. The output will include information such as the IP address of the domain and the name server used by the domain. Nslookup can also be used to perform Reverse DNS Lookup using the IP address instead. This only works if a PTR record (Pointer) is configured to resolve the IP address back to a hostname or domain.

You can find more useful options and command line parameters by using “nslookup — help”. The example below discovers the MX records (Mail eXchange or email servers) of the target.

Play around with it and try the following command:

$ nslookup -type=MX <Target> <DNS Server>

In the below example, we are querying any DNS record type for GoDaddy.com using the DNS server 8.8.8.8 (for the geeks out there, you should instantly recognize this!).

Host

host is a very simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. It is available on Linux platforms. To use host, open a terminal and enter the following command:

$host <DOMAIN>

By now you should have worked out that if Query Type is set to “any” it is a special type or simply “magic”!

Instead of retrieving single query types such as MX, A or CNAME, it retrieves all DNS record types for a domain. See the example below.

$ host -a <DOMAIN>

Notice the more detailed output using the -a option (any) compared to just running host <domain>?

There are occasions when you’d want to target specific record types, however, for the first stages of reconnaissance, it is always a good idea to inspect the output of “any” DNS record type before narrowing down your scope.

For more options, use your trusty man (manual) page command: man host or simply type host with no parameters and it will display the help options available to the utility host.

Dig

dig a flexible, yet powerful tool for interrogating DNS name servers.
The dig utility is a more advanced command-line tool that is used for DNS resolution and query. It is used to query DNS servers for detailed information about domain names and DNS records. It has more advanced features than nslookup and host and can perform more complex DNS queries. Dig can be used to perform DNSSEC validation, EDNS queries, and other advanced DNS functions.

Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use, and clarity of output. Other lookup tools tend to have less functionality than dig.

The command below will query the default DNS server for information about the target domain, in our case rhul.ac.uk. The output will include information such as the IP address of the domain, the name server used by the domain, and other DNS records associated with the domain.

dig <DOMAIN>

Let’s try some neat tricks with dig. There are several options to extract just the relevant output or answer without the extra faff usually included in the output of dig command. The following options help reduce the volume of output and make it easier to read

• +noall option tells dig to turn off all output flags, so no additional information beyond the answer section is displayed.
• +answer option tells dig to display only the answer section of the query results. This is useful for filtering out extraneous information and focusing on the most relevant data.

$ dig <QUERY_TYPE> +<OPTION> <DOMAIN>

Additional options that might be useful include:

• +short: provides a more concise output, with just the IP addresses or other relevant data displayed.
• +recurse: tells the DNS server to recursively query other DNS servers until it gets the complete answer.
• @server: specifies the DNS server to query.
• +dnssec: requests DNSSEC information for the query.
• +time=X: sets the maximum time for the query to complete to X seconds. Useful when you have issues with queries timing out.

Fierce

Fierce is a command-line utility specifically designed for DNS reconnaissance and is used to locate non-contiguous IP space and discover the associated domain names. It is particularly useful for conducting DNS enumeration and subdomain discovery. This tool can perform zone transfers and dictionary-based brute-force attacks to discover new subdomains that are not in the DNS zone file. The latter can be particularly useful in finding hidden or lesser-known subdomains.

Some of the key features of Fierce include:

• Automatic zone transfers against DNS servers to gather information about subdomains associated with the target domain
• Dictionary-based brute-force attacks to discover new subdomains
• Output of discovered subdomains to a file in multiple formats (CSV, XML, etc.)
• Ability to specify multiple DNS servers to use for resolution

By automating the tedious, time-consuming and often manual process of gathering information about subdomains associated with a target domain, fierce can be used to save valuable time during your DNS reconnaissance.

$ fierce --domain <DOMAIN>

WHOIS

whois is a command-line tool used to gather information about a domain and its owner. Although it is not specifically used for DNS enumeration, it can be used to gather information about domain names and IP addresses.
Put it in the category of “good to know” for general reconnaissance about your target but not as useful as the other tools discussed in this article when it comes to DNS enumeration.

$ whois <DOMAIN>

The whois command can also reveal if your target domain has DNSSEC configured without having to query DNS servers directly. This is not only a handy but also a low-cost method of gathering data by avoiding direct contact with the DNS servers of your target.

DNSEnum

dnsenum is a versatile DNS enumeration tool that can perform various tasks such as subdomain enumeration, reverse IP lookups, discovering non-contiguous IP blocks, and performing zone transfers.

dnsenum --enum <DOMAIN>

dnsenum can currently perform many DNS reconnaissance operations such as the following operations:

• Get the usual A, MX, and NS records for a domain.
• Perform zone transfer (AXFR) queries on nameservers.
• Discover additional subdomains via Google scraping.
• Brute force subdomains from a file can also perform recursive queries on subdomains that have NS records.
• Perform reverse lookups on network ranges.
• Calculate C class domain network ranges and perform whois queries on them.

See the below examples for an extended version of the output.

Knockpy

Knock is a highly configurable, modular Python tool that is used to perform DNS enumeration by brute-forcing subdomains.

It supports the following scans:

* SCAN
full scan:      knockpy domain.com
quick scan:     knockpy domain.com --no-local
faster scan:    knockpy domain.com --no-local --no-http
ignore code:    knockpy domain.com --no-http-code 404 500 530
silent mode:    knockpy domain.com --silent
* SUBDOMAINS
show recon:     knockpy domain.com --no-local --no-scan

To use knockpy, open a command prompt and enter the following command:

$ knockpy tryhackme.com -o report

This will perform a “full scan” DNS enumeration on the domain tryhackme.com and will also brute-force potential subdomains to find additional information. ne important option is the -oflag which specifies the output file format. In the example above, we have saved the results in JSON format.

Subfinder

subfinder is a fast and easy-to-use subdomain enumeration tool that supports multiple passive sources for gathering information. It was built for doing one thing only — fast passive subdomain enumeration, and it does that very well.

$ subfinder -d <DOMAIN>

To view the full list of sources used by subfinder, type the command:

Sublist3r

sublist3r is a tool designed to enumerate subdomains of websites using OSINT. It is a Python-based tool that uses multiple search engines and APIs to find subdomains. One important option is the -vflag which specifies the verbosity level of the output. Another useful option is -b brute force.

$ sublist3r -d <DOMAIN> -b -v

DNSRecon

dnsrecon is a comprehensive DNS scanning and enumeration framework that can perform various tasks such as subdomain enumeration, zone transfers, and DNS record analysis. This tool is quite powerful, rich in features, and deserves to have an entire article dedicated to its functions.

We will only cover basic DNS enumeration. For more information consult the Kali tools website or check the page linked in the “Further Reading” section at the bottom of this article.

DNSRecon features include:

• Checking all NS records for zone transfers.
• Enumerating general DNS records for a given domain.
• Performing common SRV record enumeration.
• Checking for wildcard resolution.
• Brute forcing subdomain and host records using a domain and a wordlist.
• Performing a PTR record (reverse) lookup for a given IP range or CIDR.
• Checking DNS server cached records for A, AAAA and CNAME.
• Enumerating hosts and subdomains using Google scraping.

dnsrecon has many features and options you should explore.
An important option when performing DNS brute force is -f.

When performing brute force domain lookup, some domains may resolve to a wildcard IP address, often used by domain owners to handle requests for non-existent subdomains. By using the -f option, DNSRecon will filter out these results and exclude them when saving records, ensuring that only relevant and non-wildcard records are retained.

$ dnsrecon -f -d <DOMAIN>

Amass

Amass is arguably one of the most powerful enumeration tools and is widely favored by Bug Bounty hunters. It is described as a framework for network mapping of attack surfaces and external asset discovery using open-source information gathering (passive) and reconnaissance techniques (active).

Amass has support for data gathering using APIs, Certificates, DNS, Routing, Scraping, Web Archives, and WHOIS.

In terms of DNS, we are interested in its capabilities which include:
Brute forcing, Reverse DNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing.

The easiest way to get started is to kick off a basic DNS enumeration using the following command:

$ amass enum -d <DOMAIN>

The final results may look like this:

Recon-NG

Recon-ng is a powerful reconnaissance framework that includes modules useful for various types of reconnaissance. I use this tool a lot as a one-stop shop when gathering different recon data on an organization or more due to its handy internal database and extensible capabilities. It can collect information on domain names, IP addresses, Netblocks, open ports, hosts, email contacts, and organization names.

Focusing on DNS-related activities, we have quite a few modules to aid us in performing tasks such as DNS recon, sub-domain brute-forcing, and DNS zone transfers.

By default, no modules are installed within the most recent versions of Recon-ng on Kali. To install your modules of choice, you need to first refresh before you start searching for available Marketplace modules:

marketplace refresh
marketplace search

Here’s an example of basic DNS recon using the HackerTarget module which finds hosts and subdomains associated with your target domains and saves them to table hosts in the default recon-ng database.

Let’s run through an example:

$ recon-ng
[recon-ng][default] >  workspaces create tryhackme
[recon-ng][tryhackme] > marketplace refresh
[recon-ng][tryhackme] > marketplace search hackertarget
[recon-ng][tryhackme] > marketplace install hackertarget
[recon-ng][tryhackme] > modules load hackertarget
[recon-ng][tryhackme][hackertarget] > info
[recon-ng][tryhackme][hackertarget] > options list
[recon-ng][tryhackme][hackertarget] > db insert domains
[recon-ng][tryhackme][hackertarget] > show domains
[recon-ng][tryhackme][hackertarget] > run
[recon-ng][tryhackme][hackertarget] > show hosts

In the above example we have carried out the following tasks:

• Create a “workspace” called tryhackme. It is similar to a project to group your engagement data and prevent mixing up your results.
• Refresh the Marketplace or the repository before installing modules.
• Search for and install a module named hackertarget.
• Load the module and view its extended information and options.
• Add a target domain to the domains database and verify.
• Run the module and view the results in the hosts database.

Other Recon-ng modules that can be useful for DNS recon:

1. recon/domains-hosts/brute_hosts: performs brute force DNS host enumeration using a wordlist.
2. recon/domains-hosts/google_site_web: uses Google to find websites hosted on the target domain.
3. recon/domains-hosts/shodan_hostname: uses Shodan to find hostnames related to the target domain.
4. recon/domains-hosts/ssl_san: extracts Subject Alternative Names (SANs) from SSL certificates to find related hostnames.
5. recon/domains-hosts/bing_domain_web: uses Bing to find web pages related to the target domain.

Feel free to try them out. There are plenty more to explore in Recon-ng.

[recon-ng][example] > marketplace refresh
[recon-ng][example] > marketplace search dns
[recon-ng][example] > marketplace install ssl_san
[recon-ng][example] > marketplace install bing_domain_web

theHarvester

theHarvester is a popular recon framework used for gathering various types of information about a target domain. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources. In our case, we are going to be using it to perform DNS enumeration. It can be set to query for information in passive mode using public sources such as Bing, Google, and LinkedIn or active mode for DNS brute forcing.

Here are some examples of how you can use theHarvester to enumerate DNS information:

$ theHarvester
usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s] [--screenshot SCREENSHOT] [-v] [-e DNS_SERVER] [-r] [-n] [-c] [-f FILENAME] [-b SOURCE]
$ theHarvester  -d example.com -l 100 -b all -f output.txt

This command instructs theHarvester to search for DNS-related information for the domain example.com limits the output to 100 results and saves the results to output.txt

Here’s an example enumerating formula1.com for all of you F1 Racing fans.

Note that some sources such agoogleCSE, shodan and bingapi require API keys to work. You will have to take care of these by registering on their websites and adding the keys to theHarvester if you want to use those modules.

Now we are getting some interesting results. Notice how theHarvester found some interesting URLs and not only (sub)domains? We have obtained a great amount of information about IPs, ASNs, URLs and Hosts.

We can further enumerate the IPs using reverse DNS lookup using the Harvester option -nor a tool such as the dig utility.

Below are some interesting switches:

• -d: domain to search (target)
• -b: use specific data sources (github, censys, virustotal... etc. ) or all
• -v: verify hostnames via DNS resolution and search for virtual hosts
• -f: save results to a file in both HTML and XML formats
• -n: perform a DNS reverse query on all network ranges discovered
• -c: perform a DNS brute-force search for the domain name
• -l: limit the number of results to work with
• -h: use Shodan database to query discovered hosts

Nmap

Unless you were living in a cave, you would have undoubtedly heard of or even used the king of network reconnaissance tools known as Network Mapper (Nmap). You would have been using this tool to perform your host discovery, port scanning, service enumeration, network mapping, taking the dog out for a walk (maybe one day? 😄), and much more.

Nmap also provides a set of scripts that can be used to perform DNS enumeration, brute-forcing, and analysis using the built-in Nmap Scripting Engine (NSE).

The example below will use DNS an nmap DNS brute-forcing script (dns-brute.nse) with the arguments domain=cnn.com:

$ nmap -p 53 --script=dns-brute --script-args="dns-brute.domain=cnn.com" cnn.com

The output can be seen below.

To view the full list of nmap DNS scripts, use the following command:

$ ls -la  /usr/share/nmap/scripts/*dns* | rev | cut -d "/" -f1 | rev

The output should look similar to the below screenshot.

There are more DNS enumeration options to cover so we will save that for a second part where we go deeper into DNS enumeration techniques such as zone transfers, recursion, fuzzing, DNSSEC enumeration, etc.

Metasploit

The Metasploit Framework (MSF) is a powerful open-source penetration testing framework that provides a wide range of tools, modules, and exploits that can be used to automate the process of scanning, testing, and exploiting vulnerabilities in a target system.

With its extensive collection of modules, Metasploit offers various functionalities, including those tailored for DNS enumeration, making it a valuable resource for security professionals during reconnaissance and vulnerability assessment tasks.

One example of a Metasploit module commonly used for DNS enumeration is the “auxiliary/gather/enum_dns” module. This module allows you to perform DNS enumeration by querying a DNS server for information about a target domain. It can retrieve various DNS record types, such as A, AAAA, MX, NS, and TXT records, providing valuable information about the target’s DNS infrastructure.

msf6 > use auxiliary/gather/enum_dns
msf6 auxiliary(gather/enum_dns) > show options
msf6 auxiliary(gather/enum_dns) > set DOMAIN oreo.com
msf6 auxiliary(gather/enum_dns) > set ENUM_BRT true
msf6 auxiliary(gather/enum_dns) > set THREADS 1
msf6 auxiliary(gather/enum_dns) > run

There are additional DNS-related modules in Metasploit that may interest you if you wish to explore MSF’s capabilities further, such as:

• auxiliary/spoof/dns/native_spoofer: resolve and spoof intercepted DNS queries.
• auxiliary/fuzzers/dns/dns_fuzzer: perform DNS and DNSSEC protocol-level fuzzing. This is invasive and may crash the DNS server!
• post/multi/gather/dns_bruteforce: Brute force subdomains and hostnames via wordlist.
• post/multi/gather/dns_reverse_lookup: perform DNS reverse lookup using the OS-included DNS query command.

You can search for and explore the full range of DNS modules within the Metasploit Framework using the following command:

msf6 > search type:auxiliary dns

DNS enumeration is an important phase in the reconnaissance process of any penetration testing engagement and mastering this skill can be valuable for any security professional. It can help identify valuable information about a target organization’s IT infrastructure, which can be used to identify vulnerabilities and plan attack vectors.

In this article, I have covered the basics of DNS enumeration, including what it is, why it is important, and the different techniques and tools used in the process. We have also explored some techniques that can be used to further enhance the effectiveness of DNS enumeration. By following the exercises and tips outlined in this article, you have started your journey to become a skilled DNS enumerator and a more efficient penetration tester.

DNS enumeration should be used responsibly, and only on targets that have given explicit permission for penetration testing. It goes without saying that you should not use any information gathered for malicious purposes. Unauthorized use can lead to legal and ethical consequences.

To become a skilled DNS enumerator, it is important to continue practicing and exploring different tools and techniques. DNS enumeration tools and techniques vary, and it is important to choose the right tool for the job.

Additionally, keeping up to date with the latest trends and vulnerabilities in DNS infrastructure can help keep your skills sharp.

I hope this article has helped you understand the basics of DNS enumeration and how it can be used during the reconnaissance phase of a penetration test. If you would like to learn more, please leave a comment or reach out to me.

Remember to check out my follow-up article for additional tips:
10 DNS Enumeration Tips & Tricks

Lastly, I would like to ask you, my dear reader, if you would like to see more DNS enumeration techniques covered in future articles, please let me know in the comments section.

Your feedback is important to me, and I appreciate your valuable time and attention. Thank you for reading!

Now, Go & Play!

• 10 DNS Enumeration Tips & Tricks
• DNS Primer by Daniel Miesler
• Full List of DNS Parameters
• DNS for CyberSecurity by Eli the Computer Guy
• DNSRecon: a powerful DNS reconnaissance tool
• Recon-ng Cheat Sheet by BHIS
• AWS IP Ranges
• Azure IP Ranges and Service Tags
• Google Cloud External IP Ranges