DNS & Subdomains
Last updated
Last updated
| Tool | Key Features | Use Cases |
|---|---|---|
| Command | Description |
|---|---|
dig +short to get a short answer
This involves directly interacting with the target domain's DNS servers to uncover subdomains. One method is attempting a DNS zone transfer, where a misconfigured server might inadvertently leak a complete list of subdomains. However, due to tightened security measures, this is rarely successful.
A more common active technique is brute-force enumeration, which involves systematically testing a list of potential subdomain names against the target domain. Tools like dnsenum, ffuf, and gobuster can automate this process, using wordlists of common subdomain names or custom-generated lists based on specific patterns.
This relies on external sources of information to discover subdomains without directly querying the target's DNS servers. One valuable resource is Certificate Transparency (CT) logs, public repositories of SSL/TLS certificates. These certificates often include a list of associated subdomains in their Subject Alternative Name (SAN) field, providing a treasure trove of potential targets.
Another passive approach involves utilising search engines like Google or DuckDuckGo. By employing specialised search operators (e.g., site:), you can filter results to show only subdomains related to the target domain.
Additionally, various online databases and tools aggregate DNS data from multiple sources, allowing you to search for subdomains without directly interacting with the target.
Each of these methods has its strengths and weaknesses. Active enumeration offers more control and potential for comprehensive discovery but can be more detectable. Passive enumeration is stealthier but might not uncover all existing subdomains. Combining both approaches provides a more thorough and effective subdomain enumeration strategy.
The tool offers several key functions:
DNS Record Enumeration: dnsenum can retrieve various DNS records, including A, AAAA, NS, MX, and TXT records, providing a comprehensive overview of the target's DNS configuration.
Zone Transfer Attempts: The tool automatically attempts zone transfers from discovered name servers. While most servers are configured to prevent unauthorised zone transfers, a successful attempt can reveal a treasure trove of DNS information.
Subdomain Brute-Forcing: dnsenum supports brute-force enumeration of subdomains using a wordlist. This involves systematically testing potential subdomain names against the target domain to identify valid ones.
Google Scraping: The tool can scrape Google search results to find additional subdomains that might not be listed in DNS records directly.
Reverse Lookup: dnsenum can perform reverse DNS lookups to identify domains associated with a given IP address, potentially revealing other websites hosted on the same server.
WHOIS Lookups: The tool can also perform WHOIS queries to gather information about domain ownership and registration details.
--enum specifies the domain
-f for the wordlist
-r recursive
The -u flag specifies the target URL (replace <target_IP_address> with the actual IP).
The -w flag specifies the wordlist file (replace <wordlist_file> with the path to your wordlist).
The --append-domain flag appends the base domain to each word in the wordlist.
There are a couple of other arguments that are worth knowing:
Consider using the -t flag to increase the number of threads for faster scanning.
The -k flag can ignore SSL/TLS certificate errors.
You can use the -o flag to save the output to a file for later analysis.
Example:
There are two popular options for searching CT logs:
| Tool | Description |
|---|---|
| Tool | Description | Features |
|---|---|---|
| Tool | Key Features | Use Cases | Pros | Cons |
|---|---|---|---|---|
dig
Versatile DNS lookup tool that supports various query types (A, MX, NS, TXT, etc.) and detailed output.
Manual DNS queries, zone transfers (if allowed), troubleshooting DNS issues, and in-depth analysis of DNS records.
nslookup
Simpler DNS lookup tool, primarily for A, AAAA, and MX records.
Basic DNS queries, quick checks of domain resolution and mail server records.
host
Streamlined DNS lookup tool with concise output.
Quick checks of A, AAAA, and MX records.
dnsenum
Automated DNS enumeration tool, dictionary attacks, brute-forcing, zone transfers (if allowed).
Discovering subdomains and gathering DNS information efficiently.
fierce
DNS reconnaissance and subdomain enumeration tool with recursive search and wildcard detection.
User-friendly interface for DNS reconnaissance, identifying subdomains and potential targets.
dnsrecon
Combines multiple DNS reconnaissance techniques and supports various output formats.
Comprehensive DNS enumeration, identifying subdomains, and gathering DNS records for further analysis.
theHarvester
OSINT tool that gathers information from various sources, including DNS records (email addresses).
Collecting email addresses, employee information, and other data associated with a domain from multiple sources.
Online DNS Lookup Services
User-friendly interfaces for performing DNS lookups.
Quick and easy DNS lookups, convenient when command-line tools are not available, checking for domain availability or basic information
dig domain.com
Performs a default A record lookup for the domain.
dig domain.com A
Retrieves the IPv4 address (A record) associated with the domain.
dig domain.com AAAA
Retrieves the IPv6 address (AAAA record) associated with the domain.
dig domain.com MX
Finds the mail servers (MX records) responsible for the domain.
dig domain.com NS
Identifies the authoritative name servers for the domain.
dig domain.com TXT
Retrieves any TXT records associated with the domain.
dig domain.com CNAME
Retrieves the canonical name (CNAME) record for the domain.
dig domain.com SOA
Retrieves the start of authority (SOA) record for the domain.
dig @1.1.1.1 domain.com
Specifies a specific name server to query; in this case 1.1.1.1
dig +trace domain.com
Shows the full path of DNS resolution.
dig -x 192.168.1.1
Performs a reverse lookup on the IP address 192.168.1.1 to find the associated host name. You may need to specify a name server. (PTR)
dig +short domain.com
Provides a short, concise answer to the query.
dig +noall +answer domain.com
Displays only the answer section of the query output.
dig domain.com ANY
Retrieves all available DNS records for the domain (Note: Many DNS servers ignore ANY queries to reduce load and prevent abuse, as per RFC 8482).
Comprehensive DNS enumeration tool that supports dictionary and brute-force attacks for discovering subdomains.
User-friendly tool for recursive subdomain discovery, featuring wildcard detection and an easy-to-use interface.
Versatile tool that combines multiple DNS reconnaissance techniques and offers customisable output formats.
Actively maintained tool focused on subdomain discovery, known for its integration with other tools and extensive data sources.
Simple yet effective tool for finding subdomains using various techniques, ideal for quick and lightweight scans.
Powerful and flexible DNS brute-forcing tool, capable of resolving and filtering results effectively.
A multi-purpose tool often used for directory/file brute-forcing, but also effective for virtual host discovery.
Fast, supports multiple HTTP methods, can use custom wordlists.
Similar to Gobuster, but with a Rust-based implementation, known for its speed and flexibility.
Supports recursion, wildcard discovery, and various filters.
Another fast web fuzzer that can be used for virtual host discovery by fuzzing the Host header.
Customizable wordlist input and filtering options.
User-friendly web interface, simple search by domain, displays certificate details, SAN entries.
Quick and easy searches, identifying subdomains, checking certificate issuance history.
Free, easy to use, no registration required.
Limited filtering and analysis options.
Powerful search engine for internet-connected devices, advanced filtering by domain, IP, certificate attributes.
In-depth analysis of certificates, identifying misconfigurations, finding related certificates and hosts.
Extensive data and filtering options, API access.
Requires registration (free tier available).