# DNS

Find other nameservers:

```shell-session
dig ns @<IP>
```

Sometimes it's possible to get the version:

```shell-session
dig CH TXT version.bind <IP>
```

Show all records:

```shell-session
dig any <domain> <IP>
```

### Zone transfers or Asynchronous Full Transfer Zone (AXFR)

They use `TCP` port 53

```shell-session
dig axfr <domain> @<IP>
```

If the administrator used a subnet for the `allow-transfer` option for testing purposes or as a workaround solution or set it to `any`, everyone would query the entire zone file at the DNS server. In addition, other zones can be queried, which may even show internal IP addresses and hostnames.

Manual bruteforcing:

```shell-session
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
```

## Tool

[DNSenum](https://github.com/fwaeytens/dnsenum)