Skip to main content
DNS protocol templates allow you to perform DNS queries and test DNS infrastructure for misconfigurations, subdomain takeovers, and information disclosure.

Basic DNS query

A simple DNS template performs a query for a specific record type: 
id: dns-a-record

info:
  name: DNS A Record Query
  author: pdteam
  severity: info

dns:
  - name: "{{FQDN}}"
    type: A
    class: inet
    
    matchers:
      - type: word
        words:
          - "IN\tA"

DNS request components

Name

name
string
required
The hostname/domain to query. Usually set to {{FQDN}} variable.
dns:
  - name: "{{FQDN}}"
    type: A

Record types

type
string
required
DNS record type to query.Supported types:
  • A - IPv4 address
  • AAAA - IPv6 address
  • CNAME - Canonical name
  • MX - Mail exchange
  • NS - Nameserver
  • TXT - Text record
  • SOA - Start of authority
  • PTR - Pointer record
  • SRV - Service record
  • CAA - Certificate authority authorization
  • TLSA - TLS authentication
  • DS - Delegation signer
  • ANY - Any record type
dns:
  - name: "{{FQDN}}"
    type: TXT

Query class

class
string
default:"inet"
DNS query class.Options: inet, csnet, chaos, hesiod, none, any
dns:
  - name: "{{FQDN}}"
    type: A
    class: inet

DNS query options

Recursion

recursion
boolean
default:true
Enable recursive DNS resolution.
dns:
  - name: "{{FQDN}}"
    type: A
    recursion: true

Retries

retries
integer
default:2
Number of retry attempts for failed queries.
dns:
  - name: "{{FQDN}}"
    type: A
    retries: 3

Custom resolvers

resolvers
array
Specify custom DNS resolvers to use.
dns:
  - name: "{{FQDN}}"
    type: A
    resolvers:
      - 8.8.8.8
      - 1.1.1.1

DNS record examples

Query for IPv4 addresses:
id: dns-a-record

info:
  name: DNS A Record Check
  author: pdteam
  severity: info

dns:
  - name: "{{FQDN}}"
    type: A
    class: inet
    
    matchers:
      - type: regex
        regex:
          - "IN\tA\t([0-9.]+)"
    
    extractors:
      - type: regex
        name: ip_address
        regex:
          - "IN\tA\t([0-9.]+)"
        group: 1

Subdomain takeover detection

Detect dangling DNS records that could lead to subdomain takeovers: 
id: subdomain-takeover-aws

info:
  name: AWS Subdomain Takeover Detection
  author: pdteam
  severity: high
  description: Detects CNAME records pointing to unclaimed AWS resources

dns:
  - name: "{{FQDN}}"
    type: CNAME
    
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "CNAME"
      
      - type: regex
        regex:
          - "\.amazonaws\.com"
          - "\.s3\.amazonaws\.com"
          - ".cloudfront.net"
        condition: or
    
    extractors:
      - type: regex
        name: cname_target
        regex:
          - "CNAME\t(.+)"
        group: 1

DNS zone transfer detection

Attempt AXFR zone transfers: 
id: dns-zone-transfer

info:
  name: DNS Zone Transfer (AXFR)
  author: pdteam
  severity: high
  description: Detects misconfigured DNS servers allowing zone transfers
  reference:
    - https://owasp.org/www-community/vulnerabilities/Zone_Transfer

dns:
  - name: "{{FQDN}}"
    type: AXFR
    class: inet
    
    matchers:
      - type: word
        words:
          - "IN\tNS"
          - "IN\tA"
          - "IN\tMX"
        condition: and
Zone transfers should only be performed against systems you have permission to test.

DNS tracing

trace
boolean
default:false
Perform DNS trace to follow resolution path.
dns:
  - name: "{{FQDN}}"
    type: A
    trace: true
    trace-max-recursion: 10
trace-max-recursion
integer
default:5
Maximum recursion depth for DNS tracing.
dns:
  - name: "{{FQDN}}"
    type: A
    trace: true
    trace-max-recursion: 15

Multi-step DNS queries

Chain DNS queries together: 
id: dns-ns-probe

info:
  name: DNS Nameserver Probing
  author: pdteam
  severity: info
  description: Queries NS records then probes each nameserver

flow: |
  dns("fetch-ns");
  for(let ns of template["nameservers"]) {
    set("nameserver", ns);
    dns("probe-ns");
  };

dns:
  - id: "fetch-ns"
    name: "{{FQDN}}"
    type: NS
    
    matchers:
      - type: word
        words:
          - "IN\tNS"
        internal: true
    
    extractors:
      - type: regex
        internal: true
        name: nameservers
        group: 1
        regex:
          - "IN\tNS\t(.+)"
  
  - id: "probe-ns"
    name: "{{nameserver}}"
    type: A
    class: inet
    retries: 3
    
    extractors:
      - type: dsl
        dsl:
          - "nameserver"

DNS with payloads

Test multiple subdomains: 
id: subdomain-bruteforce

info:
  name: Subdomain Bruteforce
  author: pdteam
  severity: info

dns:
  - name: "{{subdomain}}.{{FQDN}}"
    type: A
    
    payloads:
      subdomain:
        - www
        - mail
        - ftp
        - admin
        - api
        - dev
        - staging
    
    threads: 10
    
    matchers:
      - type: word
        words:
          - "IN\tA"
    
    extractors:
      - type: regex
        regex:
          - "IN\tA\t([0-9.]+)"
        group: 1

DNS response parts

Specify which part of the DNS response to match:
raw
string
Complete DNS response (default)
question
string
Question section of DNS response
answer
string
Answer section containing resource records
matchers:
  - type: word
    part: answer
    words:
      - "amazonaws.com"
ns
string
Authority (nameserver) section
extra
string
Additional records section
rcode
string
Response code (NOERROR, NXDOMAIN, etc.)

DNS matchers and extractors

Common matchers

matchers:
  # Check for specific record type
  - type: word
    words:
      - "IN\tA"
  
  # Check response code
  - type: word
    words:
      - "NOERROR"
      - "NXDOMAIN"
    condition: or
  
  # Match IP addresses
  - type: regex
    regex:
      - "IN\tA\t(10\.|192\.168\.|172\.)"
  
  # Check for specific domains
  - type: word
    words:
      - "cloudflare"
      - "amazonaws"
    condition: or

Common extractors

extractors:
  # Extract IP addresses
  - type: regex
    name: ip_addresses
    regex:
      - "IN\tA\t([0-9.]+)"
    group: 1
  
  # Extract CNAME targets
  - type: regex
    name: cname_target
    regex:
      - "CNAME\t(.+?)\."
    group: 1
  
  # Extract nameservers
  - type: regex
    name: nameservers
    regex:
      - "IN\tNS\t(.+)"
    group: 1
  
  # Extract MX records with priority
  - type: regex
    name: mail_servers
    regex:
      - "IN\tMX\t([0-9]+\s+.+)"
    group: 1

Complete examples

id: dns-cname-detection

info:
  name: DNS CNAME Record Detection
  author: pdteam
  severity: info
  description: Detects and extracts CNAME records

dns:
  - name: "{{FQDN}}"
    type: CNAME
    class: inet
    retries: 2
    recursion: true
    
    matchers:
      - type: word
        words:
          - "IN\tCNAME"
    
    extractors:
      - type: regex
        name: cname_value
        regex:
          - "IN\tCNAME\t(.+)"
        group: 1

Testing tips

Use -debug to see full DNS responses:
nuclei -t dns-template.yaml -u example.com -debug
Override default resolvers:
nuclei -t dns-template.yaml -u example.com -r 8.8.8.8,1.1.1.1
Always use {{FQDN}} for domain inputs:
dns:
  - name: "{{FQDN}}"  # Correct
  # NOT: name: "{{Hostname}}"

Common use cases

Subdomain takeover

Detect dangling CNAMEs pointing to cloud services

DNS enumeration

Discover subdomains and infrastructure

Zone transfer

Test for misconfigured AXFR

Record validation

Verify SPF, DMARC, DKIM records

Next steps

Network protocol

TCP-based protocol testing

Flow control

Advanced multi-step logic

Helper functions

DSL functions for DNS

Extractors

Data extraction guide

Build docs developers (and LLMs) love

Get started for freeTalk to us