The Domain Name System (DNS) translates domain names into IP addresses. Misconfigured DNS servers can expose internal infrastructure details and enable various attacks.
Default Port: 53 (UDP/TCP)
Basic Enumeration
Banner Grabbing
# Query BIND version
dig version.bind CHAOS TXT @DNS
# Fingerprint with fpdns
fpdns <IP>
# Nmap
nmap -n --script dns-nsid <IP>
ANY Record Query
dig any victim.com @<DNS_IP>
Zone Transfer (AXFR)
dig axfr @<DNS_IP> # Without domain
dig axfr @<DNS_IP> <DOMAIN> # With domain
fierce --domain <DOMAIN> --dns-servers <DNS_IP>
Standard Queries
dig ANY @<DNS_IP> <DOMAIN> # Any information
dig A @<DNS_IP> <DOMAIN> # IPv4 address
dig AAAA @<DNS_IP> <DOMAIN> # IPv6 address
dig TXT @<DNS_IP> <DOMAIN> # Text records (SPF, DKIM, etc.)
dig MX @<DNS_IP> <DOMAIN> # Mail servers
dig NS @<DNS_IP> <DOMAIN> # Nameservers
dig -x 192.168.0.2 @<DNS_IP> # Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<DNS_IP> # Reverse IPv6
Active Directory SRV Records
dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com
nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN>
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"
Subdomain Enumeration
DNS Brute Force
dnsenum --dnsserver <IP_DNS> --enum -p 0 -s 0 -o subdomains.txt \
-f subdomains-1000.txt <DOMAIN>
dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
dnscan -d <domain> -r -w subdomains-1000.txt
Automated Subdomain Discovery
# Loop-based brute force
for sub in $(cat <WORDLIST>); do \
dig $sub.<DOMAIN> @<DNS_IP> | grep -v ';\|SOA' | \
sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt; \
done
# With dnsenum
dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt \
-f wordlist.txt <DOMAIN>
nmap Scripts
nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>
Reverse DNS Brute Force
dnsrecon -r 127.0.0.0/24 -n <IP_DNS> # Reverse lookup subnet
dnsrecon -r <IP_DNS>/24 -n <IP_DNS>
dnsrecon -d active.htb -a -n <IP_DNS> # Zone transfer
If you find subdomains resolving to internal IPs, try reverse DNS BF against the entire IP range to discover more internal hosts.
DNSSEC Enumeration
# DNSSEC enumeration
nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info
# Check DNSSEC records
dig example.com DNSKEY +dnssec
dig example.com DS +short
dig example.com CDS +short
IPv6 DNS Brute Force
dnsdict6 -s -t <domain> # AAAA brute force
dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 # Reverse IPv6
DNS Recursion DDoS
If DNS recursion is enabled, an attacker can spoof the origin on UDP packets to make the DNS server send responses to a victim server (DNS amplification attack).
# Check if recursion is available
dig google.com A @<IP>
# Look for 'ra' (recursion available) flag in response
DNS Auditing Checks
NS Delegation Integrity
dig example.com NS +short
for ns in $(dig +short example.com NS); do \
dig @${ns%?} example.com SOA +short; \
done
# Lame delegation: NS doesn't answer authoritatively
Very Low TTL on Critical Records
dig example.com A +ttlid
dig example.com MX +ttlid
# TTL < 300 on critical records = faster rollout of malicious changes
CAA Policy
dig example.com CAA +short
# issue/issuewild with "any" is overly permissive
Post-Exploitation Config Files
/etc/resolv.conf
/etc/bind/named.conf
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/named.conf.log
/etc/bind/*
allow-transfer — who can do zone transfersallow-recursion — who can send recursive requestsallow-query — who can query the server
NDN Harvesting via DNS
Sending email to a non-existent address may trigger a Non-Delivery Notification (NDN) that reveals internal server names and IP addresses in its headers. 
