Information Gathering & Enumeration
DNS Enumeration
4 min read
DNS can reveal valuable information about a target's infrastructure, including hidden hosts and internal naming conventions.
DNS Basics for OSCP
Key Record Types
| Record | Purpose | Example |
|---|---|---|
| A | IPv4 address | host.domain.com -> 192.168.1.10 |
| AAAA | IPv6 address | host.domain.com -> ::1 |
| MX | Mail server | domain.com -> mail.domain.com |
| NS | Name server | domain.com -> ns1.domain.com |
| TXT | Text info | Often contains SPF, DKIM |
| CNAME | Alias | www -> host.domain.com |
| PTR | Reverse lookup | 192.168.1.10 -> host.domain.com |
DNS Enumeration Tools
host Command
# Basic lookup
host domain.com
# Specific record type
host -t mx domain.com
host -t ns domain.com
host -t txt domain.com
# Reverse lookup
host 192.168.1.10
dig Command
# Standard query
dig domain.com
# Specific record
dig domain.com MX
dig domain.com NS
dig domain.com ANY
# Short output
dig +short domain.com
# Query specific nameserver
dig @ns1.domain.com domain.com
nslookup
# Interactive mode
nslookup
> server <dns-server>
> set type=any
> domain.com
# Direct query
nslookup domain.com
nslookup -type=mx domain.com
Zone Transfer Attack
A misconfigured DNS server may allow zone transfers, revealing all records.
Testing Zone Transfer
# Using host
host -l domain.com ns1.domain.com
# Using dig
dig axfr @ns1.domain.com domain.com
# Using dnsrecon
dnsrecon -d domain.com -t axfr
Zone Transfer Output
; Zone transfer successful
domain.com. IN SOA ns1.domain.com.
domain.com. IN NS ns1.domain.com.
domain.com. IN NS ns2.domain.com.
admin.domain.com. IN A 192.168.1.10
dev.domain.com. IN A 192.168.1.11
internal.domain.com. IN A 192.168.1.12
mail.domain.com. IN A 192.168.1.13
This reveals internal hostnames and structure.
Subdomain Enumeration
DNSRecon
# Basic enumeration
dnsrecon -d domain.com
# Subdomain brute force
dnsrecon -d domain.com -D /usr/share/wordlists/subdomains.txt -t brt
# Standard enumeration
dnsrecon -d domain.com -t std
Sublist3r
# Search multiple sources
sublist3r -d domain.com
# With brute force
sublist3r -d domain.com -b
FFUF for DNS
# Subdomain fuzzing
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.domain.com
Reverse DNS Lookup
Scan IP ranges to find hostnames:
# Single reverse lookup
dig -x 192.168.1.10
# Range sweep with dnsrecon
dnsrecon -r 192.168.1.0/24
# Using Nmap
nmap -sL 192.168.1.0/24
DNS in Active Directory
AD environments have predictable DNS patterns:
Common AD DNS records:
├── _ldap._tcp.domain.com (LDAP servers)
├── _kerberos._tcp.domain.com (Kerberos KDC)
├── _gc._tcp.domain.com (Global Catalog)
└── dc01.domain.com (Domain Controller)
AD DNS Enumeration
# Find domain controllers
dig SRV _ldap._tcp.dc._msdcs.domain.com
# Find kerberos servers
dig SRV _kerberos._tcp.domain.com
# Using nslookup
nslookup -type=SRV _ldap._tcp.domain.com
DNS Tools Comparison
| Tool | Best For | Speed |
|---|---|---|
host |
Quick lookups | Fast |
dig |
Detailed queries | Fast |
nslookup |
Interactive | Fast |
dnsrecon |
Comprehensive | Medium |
fierce |
Subdomain enum | Medium |
dnsenum |
Full enumeration | Slow |
Practical DNS Workflow
Step 1: Identify DNS Servers
├── dig NS domain.com
└── Note all nameservers
Step 2: Attempt Zone Transfer
├── dig axfr @ns1.domain.com domain.com
└── Try each nameserver
Step 3: Record Enumeration
├── A, MX, NS, TXT records
└── Look for subdomains
Step 4: Subdomain Brute Force
├── dnsrecon -d domain.com -D wordlist -t brt
└── Use multiple wordlists
Step 5: Reverse Lookups
├── Scan discovered IP ranges
└── Map network topology
DNS Enumeration Checklist
□ Identify all nameservers
□ Attempt zone transfer on each NS
□ Enumerate A, MX, NS, TXT, CNAME records
□ Brute force subdomains
□ Perform reverse DNS on IP ranges
□ Check for AD-specific records
□ Add findings to /etc/hosts
□ Document all discovered hosts
Adding Hosts to Your System
Always add discovered hosts to your local hosts file:
# Add to /etc/hosts
echo "192.168.1.10 admin.domain.com" | sudo tee -a /etc/hosts
echo "192.168.1.11 dev.domain.com" | sudo tee -a /etc/hosts
# Or edit directly
sudo nano /etc/hosts
This ensures tools and browsers resolve correctly.
With enumeration mastered, we'll move to vulnerability analysis and exploitation techniques in the next module. :::