DNS Recon

DNS Enumeration

DNS enumeration is a very useful exercise to conduct within a network to get hold of all the systems and their hostnames without running a network wide scan with nmap. This comes in handy when you do not want the IPS or firewall to trigger alerts, as DNS zone transfers can be a regular affair within a network.

The following commands can be used for conducting a zone transfer,

dnsrecon -t axfr -d domain.com -n <DNS IP>

Dnsenum is another tool that can be used for listing the different types of records or conduct a zone transfer from a DNS,

dnsenum p42.com

Using dig,

dig +short ns p42.com   
dig axfr p42.com @192.168.1.80

Here, p42.com is the domain name for which the zone transfer is requested from the DNS IP 192.168.1.80

You can also request for a DNS zone transfer by just transferring data from an Active Directory as long as the _msdcs service is enabled,

dig axfr @192.168.165.149 _msdcs.p42.com

Last updated