DNS Enumeration Tutorial With Dig, Nslookup & Host

DNS Enumeration

What is a DNS server?
A DNS server is a server/computer on the internet the resolves hostnames/domains to IP addresses.

It is responsible for the management, maintenance and the processing of Internet domain names and their associated records.

In essence, DNS servers give out nameserver and mail server information for the domain it is responsible for.

What is DNS enumeration?
DNS enumeration is also referred to as DNS interrogation.

It involves all the techniques that are used to gather as much information as possible from the DNS server. DNS enumeration is the process of locating all the DNS servers and their corresponding records for a domain.

DNS enumeration will yield computer names, and IP addresses and mail servers of particular domains.

Tools we will be using

• Dig
• Host
• Nslookup

Using host
Host is used to determine the IP address a domain resolves to.

host hsploit.com
host -t ns hsploit.com
host -t mx hsploit.com

Using Nslookup
nslookup hsploit.com

Select ns for nameservers and domain
set type=ns

Select ns for mail servers and domain
set type=mx

Using Dig for DNS Enumeration
Dig is one of the most commonly used tools for DNS enumeration, it is also referred to as the DNS swiss army knife.

Record Types

• A – The A record holds the IP address associated with the domain
• AAAA – Holds the IPV6 address for the domain
• CNAME – (Canonical name record) – Maps one domain to another domain (Very useful)
• MMX– The mx record lists the addresses associated with the mail exchanger
• PTR – Pointer records which are used in reverse DNS lookups
• AXFR – Authority for zone transfer – is used to make name server return all the records of a particular domain (This is very useful as we will see in the next videos as it can divulge internal addresses and private subdomains)

Using Dig

• Domain Lookup – dig hsploit.com
• Mail server lookup – dig hsploit.com -t mx
• Name server lookup – dig hsploit.com -t ns
• AAAA lookup – dig hsploit.com AAAA
• CNAME Lookup – dig hsploit.com CNAME

Returning important data only
We use the +short command to return only the important information.

dig hsploit.com mx +short
dig hsploit.com ns +short

Great share @HackerSploit! Among other fantastic things dig is capable of doing. I use dig in terminal to grab my external IP address. It is much more convenient and saves me time while working in shell. Rather than opening a browser and going to ipchicken.com or whatsmyip.org. Give it a try. You wont regret it.

• Look up your external IP address using Dig in shell.

• dig +short myip.opendns.com @resolver3.opendns.com