Building on our understanding of active reconnaissance from the previous lesson, we now dive into the first practical technique: DNS enumeration. The Domain Name System (DNS) is the internet's phone book — it translates human-readable domain names into IP addresses. By querying DNS servers directly, we can discover subdomains, mail servers, name servers, and other records that reveal the target's infrastructure.
Before we start enumerating, you need to understand the DNS record types you will encounter. Each record type serves a different purpose and reveals different information about the target.
| Record Type | Purpose | Reconnaissance Value |
|---|---|---|
| A | Maps a domain to an IPv4 address | Identifies live hosts and their IP addresses |
| AAAA | Maps a domain to an IPv6 address | Reveals IPv6 infrastructure |
| MX | Mail Exchange — specifies mail servers | Identifies email infrastructure and priority values |
| NS | Name Server — authoritative DNS servers | Reveals DNS hosting providers and potential zone transfer targets |
| TXT | Text records — often contain SPF, DKIM, DKIM data | Reveals email security config, domain ownership details |
| CNAME | Canonical Name — alias for another domain | Uncovers hidden services and third-party integrations |
| SOA | Start of Authority — zone admin info | Reveals admin email, serial numbers, and zone timing |
| PTR | Pointer — reverse DNS lookup | Maps IP addresses back to domain names |
The dig (Domain Information Groper) tool is the gold standard for manual DNS queries. It provides granular control and detailed output. Let us walk through the essential queries.
The +short flag gives us a clean output with just the IP addresses. Without it, dig returns the full response including header, question section, and authority section.
The numbers (10, 20) indicate priority — lower values are preferred. This tells us the target has two mail servers, with mail.vulnarex.local as the primary.
💡 The SPF record reveals that the target authorizes mail from its MX servers and the entire 192.168.1.0/24 subnet. This is valuable intelligence for understanding the network scope.
A DNS zone transfer (AXFR) is a mechanism where a secondary DNS server copies its records from the primary. If misconfigured, any client can request a full zone transfer, dumping every DNS record for the domain — a goldmine for attackers.
This zone transfer was successful — the server handed over every internal record including dev.vulnarex.local and internal.vulnarex.local, which were not publicly visible. This is a critical misconfiguration.
⚠️ Zone transfers should only be allowed between authorized primary and secondary name servers. If you discover a successful zone transfer during a penetration test, report it as a high-severity finding immediately.
While dig is excellent for manual queries, dnsenum automates the entire DNS enumeration process. It performs zone transfer attempts, subdomain brute-forcing, and Google-based discovery in a single command.
The dnsenum output gives us a comprehensive picture: name servers, mail servers, brute-forced subdomains, and even Google-discovered hosts. The results are also saved to results.xml for documentation.
💡 Always document your DNS enumeration results. Subdomains like dev, staging, and admin often run outdated or less-secure software, making them prime targets during a penetration test.
Verify exercises to earn ★ 120 XP and unlock next lab level.