DNS Recon

Techniques for enumerating DNS for penetration testing


DNS discovery is the process of finding and mapping domain names and IP addresses in a network. It's a key step in the reconnaissance phase of a penetration testing process, aimed at identifying systems, services, and potential vulnerabilities. DNS discovery can be done manually or through automated tools and provides valuable information for more targeted penetration testing.

Techniques for Using DNS to Find Services

Follow these techniques to find services using DNS in penetration testing

  • Scan target domain with tools such as nslookup, dig, and dnsrecon.

  • Use bruteforce techniques to identify all hostnames within the domain.

  • Perform subdomain enumeration with wordlists.

  • Monitor target domain for changes to its DNS records.

  • Use tools like Fierce to perform active scans.

  • Gather OSINT information about the target domain.

  • Minimize the amount of network traffic generated.


DNS discovery can be performed manually, using tools such as the ping command or the nslookup utility, or by using automated tools, such as port scanners or vulnerability assessment software. The information obtained from DNS discovery can be used to plan and execute more targeted and effective penetration testing and security assessments.


nslookup is a tool for querying DNS to obtain domain name or IP address information. In DNS discovery, it can be used to retrieve information about specific hostnames or IP addresses, providing valuable insights into a network's infrastructure during penetration testing reconnaissance.

Resolve a given hostname to the corresponding IP:

nslookup targetorganization.com

Obtain CNAME DNS record:

nslookup --type=CNAME targetorganization.com

Obtain MX DNS record:

nslookup -query=mx example.com

Displays nameservers for given domain:

nslookup -type=ns domain

Use reverse DNS lookup to resolve an IP address to the given PTR record hostname:

nslookup -type=PTR IP_address


The dig command is a tool for querying the DNS system to retrieve information about domain names and IP addresses. It provides more detailed output than nslookup.

Use the dig command in linux to return DNS information

dig a domain-name-here.com @nameserver 


Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains using DNS.



DNSRecon is a reconnaissance tool in Kali Linux that gathers information about a target domain's DNS infrastructure by performing techniques such as zone transfers, subdomain enumeration, and brute-force attacks.

Example using Kali dnsrecon on TARGET using the wordlist file dnsmap.txt and outputs results to output.xml:

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

Zone Transfers

A DNS zone transfer is the process of copying the entire database of DNS records from one DNS server to another, allowing for replication of the DNS information.

Zone Transfers Using dig

An example where the dig command is used to transfer the entire zone database for the domain "example.com" from the DNS server "ns1.example.com". The AXFR option specifies that the query is a request for a zone transfer.

dig @ns1.example.com example.com AXFR

Zone Transfer Using Windows CMD

An example of the nslookup command where type=any sets query to retrieve all DNS record types, and ls -d blah performs zone tranfers for the domain example.com:

nslookup -> set type=any -> ls -d example.com

DNS Online Tools

Last updated