Introduction¶
DNS (Domain Name System) translates human-friendly domain names (e.g., www.example.com) into IP addresses (e.g., 192.0.2.1) that machines use to communicate. Acting as the internet’s phone book, DNS enables users to access websites using names instead of IPs. It's built on a distributed, hierarchical system of servers to handle queries efficiently.
Basic DNS records lookup¶
Tools and commands for retrieving DNS record information.
| Tool | Example Command | Description |
|---|---|---|
| nslookup | nslookup -type=A example.com |
Queries a DNS server for A records (IPv4 addresses) or other types. |
| dig | dig A example.com @ns1.example.com |
Powerful DNS querying tool ideal for debugging and automation. |
| host | host -t mx example.com |
Simple tool to fetch various DNS record types, especially mail (MX) records. |
| dnsrecon | dnsrecon -d example.com -t axfr |
Python script used for DNS enumeration and zone transfer testing. |
| dnsenum | dnsenum example.com |
Perl-based tool that performs comprehensive DNS info gathering. |
| nmap | nmap --script "dns-*" example.com |
Runs Nmap DNS scripts to enumerate records and potential vulnerabilities. |
DNS lookup commands by record type¶
Query different types of DNS records to gather domain intelligence.
| Record Type | Command | Description |
|---|---|---|
| A (IPv4) | nslookup -type=A [DOMAIN]dig A [DOMAIN] @[NAMESERVER] |
Fetches the IPv4 address of a domain. |
| AAAA (IPv6) | nslookup -type=AAAA [DOMAIN]dig AAAA [DOMAIN] @[NAMESERVER] |
Fetches the IPv6 address of a domain. |
| PTR (Reverse) | nslookup -type=PTR [IP_ADDRESS]dig -x [IP_ADDRESS] @[NAMESERVER] |
Resolves an IP back to its domain name. |
| ANY | nslookup -type=ANY [DOMAIN]dig ANY [DOMAIN] @[NAMESERVER] |
Attempts to return all available DNS records. |
| TXT | nslookup -type=TXT [DOMAIN]dig TXT [DOMAIN] @[NAMESERVER] |
Retrieves text records used for SPF, verification, etc. |
| MX (Mail) | nslookup -type=MX [DOMAIN]dig MX [DOMAIN] @[NAMESERVER] |
Identifies mail servers handling email for the domain. |
DNS enumeration techniques¶
Gain deeper insight into domain infrastructure and potential misconfigurations.
| Technique | Command | Purpose |
|---|---|---|
| DNS lookup | host [DOMAIN or IP_ADDRESS] |
Retrieves default DNS record(s) for the domain or IP. |
| Enumerate NS records | host -t ns [DOMAIN] |
Lists name servers responsible for the domain. |
| Identify MX records | host -t mx [DOMAIN] |
Lists mail servers used by the domain. |
| Zone transfer attempt | host -l [DOMAIN] [NAME_SERVER] |
Attempts a zone transfer from a name server (often blocked). |
| TXT record lookup | host -t txt [DOMAIN] |
Finds domain text records, including SPF and verification entries. |
| SOA record check | host -t soa [DOMAIN] |
Gets domain’s Start of Authority record. |
| CNAME record check | host -t cname [ALIAS] |
Resolves a canonical name (alias) for the domain. |
| SRV record discovery | host -t srv _service._protocol.domain |
Identifies service-specific records (e.g., _sip._tcp.example.com). |
| DNSSEC key check | host -t dnskey [DOMAIN] |
Checks for DNSSEC support and associated public keys. |