DNS 53

#NMAP

nmap -p 53 10.11.1.1-254 -vv -oA dns.txt (1-254 specifies a range of targets)

#Find DNS server:

nslookup whatever.local 10.10.10.10
dig @10.11.1.221 whatever.local
dig -x 10.10.10.10 +short (short flag reduces output)

#Forward Lookup Brute Force: (using dnsrecon and dnsmap - install tools separately)

dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml

#host

host megacorpone.com (basic)
host –mx megacorpone.com (MX records search)
host –tx megacorpone.com (TX records search)

#Forward lookup bruteforce (requires list of potential hosts)

Cat list.txt
www http proxy ftp router mail

#Use bash script to automate research

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

#seclists has custom wordlist for dns bruteforcing

#Reverse lookup bruteforce script

for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"


#Reverse Lookup Brute Force:

dnsrecon -d demo.com -t rvl

DNS Zone Transfers:

host -l domain > $ip $ dnsrecon -d megacorpone.com -t axfr

dnsenum zonetransfer.me