5 DNS Enumeration Tools with Best Practices & Examples

The first question you might have when discussing DNS enumeration is; “What exactly is a DNS server, and why are we trying to enumerate information from this server?”

 

DNS Servers

DNS servers resolve domain names and hostnames to the respective IP addresses. They are like the soul of the internet, directing a domain name to the specific web server. For example, when you type on your web browser google.com, that query is first sent to a DNS server which resolves google.com to its IP address. A request is then made to that IP address, and the web page is loaded on your browser.

Advertisement

 

DNS Enumeration

Unfortunately, DNS is one of the most exploited protocols. DNS enumeration or DNS interrogation is the process and technique of acquiring information from DNS servers. This information includes computer names, mail servers, IP addresses, associated nameservers, and other DNS records.

 

Common Types of DNS Records?

  • A record: Holds the IP address associated with the domain in question.
  • CNAME record: Maps one domain to another. The most popular is mapping www.your_domain.com to your_domain.com.
  • MX record: Specifies the servers that handle emails from a particular domain.
  • TXT record: Enables an admin to store text notes on the server.
  • NS record: This record specifies the authoritative nameserver for your DNS zone.
  • SOA record: Known as the “Start of Authority” record. It stores all critical information about a domain. That includes admin email, domain last update, etc.
  • SRV record: This record specifies servers running particular services.
  • PTR record: Also known as pointer records. It is used in reverse DNS lookups.

 

Tools for DNS Enumeration

There are several tools that you can use for DNS enumerations. Luckily most of these tools come pre-installed on security-focused distributions like Kali Linux or Parrot. This post will look at five tools you can use for DNS enumeration.

  • NMAP
  • DNSEnum
  • DNSRecon
  • Host Command
  • NsLookup

Let’s get started.

 

1. NMAP

NMAP is a security tool mainly used for Network scanning and Port discovery. It also comes with various scripts that you can use to carry out penetration testing on multiple services. For example, the below command will list all the NMAP scripts for DNS enumeration.

ls -al /usr/share/Nmap/scripts/ | grep -e "dns-"

5 DNS Enumeration Tools with Best Practices & Examples

We will not look at all the scripts but two that this post found most reliable for enumerating DNS servers.

  • broadcast-dns-service-discovery
  • Dns-brute

 

Advertisement

1.1 Broadcast-dns-service-discovery Script

This script reveals the services using the DNS Discovery Protocol on the web server. The script sends multiple multicast DNS-SD queries and collects all the responses given by the server. However, all that is done procedurally.

The scripts first sends the for _services._dns-sd._udp.local query that lists all the running services. Once done, it sends another query to each listed service and collects this information.

Below is an example command using the Nmap broadcast-dns-service-discovery script to perform DNS enumeration.

nmap --script=broadcast-dns-service-discovery [target-domain],
e.g.
nmap --script=broadcast-dns-service-discovery example.com

 

1.2 Dns-brute Nmap Script

As the name suggests, this script performs a brute-force on the server to try and get all the hostnames. This script is quite efficient for DNS enumerations as it also takes multiple arguments, as listed below.

  • Dns-brute.domain: Allows you to set the domain name to brute-force if no host is specified.
  • Dns-brute.hostlist: Pass a list of host strings.
  • Dns-brute.srv: Lookup for SRV records.
  • Dns-brute.srvlist: Pass a list of SRV records.
  • Dns-brute.threads: Specify the number of threads to use for enumeration.

This post will not pass any arguments and will use the dns-brute script alone. See the command below.

nmap -T4 -p 53 --script dns-brute [target-domain]
e.g.
nmap -T4 -p 53 --script dns-brute example.com

5 DNS Enumeration Tools with Best Practices & Examples

The image above shows you all the hostnames we were able to enumerate.

 

Advertisement

2. DNSEnum

DNSEnum is a powerful Perl script that performs DNS enumerations on domain names. Some of the tasks that you can accomplish with this tool include:

  • Enumerate hostnames
  • Enumerate “A” records
  • Enumerate MX records
  • Make AXFR queries
  • Bruteforce subdomains
  • Reverse lookups.

The DNSEnum command below performs a DNS enumeration but avoid reverse lookups since we passed the --noreverse argument. The output is stored in an XML file.

dnsenum --noreverse -o mydomain.xml [target-domain]
E.g
dnsenum --noreverse -o mydomain.xml youtube.com

5 DNS Enumeration Tools with Best Practices & Examples

This tool is quite reliable. From the image above, you can see that we were able to enumerate hostnames, nameservers, mail servers, CNAME records, etc.

To see all the options available in this script, execute the command below.

dnsenum -help

 

3. DNSRecon

DNSRecon is another powerful utility used to perform DNS enumeration. This tool is pre-installed on penetration testing distributions like Kali Linux or Parrot. To list all the available options for DNSRecon, execute the command below.

dnsrecon -help

Let’s carry out a simple DNS enumeration using the DNSRecon tool. Execute the command below.

dnsrecon -d [target-domain]
e.g.
dnsrecon -d youtube.com

 

Advertisement

4. Host Command

The host command is widely used to determine the IP address of a domain name. For example, the command below shows the IP address of Youtube.

host youtube.com

5 DNS Enumeration Tools with Best Practices & Examples

The host command takes the -t argument that allows you to specify what information you want to get from the domain name. For example, to enumerate nameservers, you will run the command below.

host -t ns youtube.com

5 DNS Enumeration Tools with Best Practices & Examples

Use the -t mx argument to enumerate MX records as shown below.

5 DNS Enumeration Tools with Best Practices & Examples

 

2. NsLookup

NsLookup is another tool you can use for DNS enumeration and comes pre-installed on Kali Linux. Execute the nslookup command on your terminal without passing any arguments, as shown below.

nslookup

That will open an interactive shell where you can execute commands using NsLookup. To enumerate for nameservers, type the following commands and hit enter.

set type=ns
[target-domain]

5 DNS Enumeration Tools with Best Practices & Examples

To enumerate MX records, set the type to “mx”, as shown in the image below.

5 DNS Enumeration Tools with Best Practices & Examples

Advertisement

To close the interactive shell, type exit and hit enter.

 

Wrapping Up

This post has given you five methods that you can use to perform DNS enumeration on a host or domain. Although DNS information alone is not enough to launch a cyber attack, this information can be used by Attackers to estimate how large an organization is, the number of sub-domains might also increase the attack surface and much more. Do you have any questions or comments regarding this post? Feel free to let us know in the comments below.

 

Related Keywords: dns enumeration, dnsenum windows, dns reconnaissance, dns recon, pentest dns, dns lookup kali

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment

X