# DNS 53

**#NMAP**

```
nmap -p 53 10.11.1.1-254 -vv -oA dns.txt (1-254 specifies a range of targets)
```

**#Find DNS server:**

```
nslookup whatever.local 10.10.10.10
dig @10.11.1.221 whatever.local
dig -x 10.10.10.10 +short (short flag reduces output)
```

**#Forward Lookup Brute Force: (using dnsrecon and dnsmap - install tools separately)** 

```
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
```

**#host**

```
host megacorpone.com (basic)
host –mx megacorpone.com (MX records search)
host –tx megacorpone.com (TX records search)
```

**#Forward lookup bruteforce (requires list of potential hosts)**

```
Cat list.txt
www http proxy ftp router mail

#Use bash script to automate research

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

#seclists has custom wordlist for dns bruteforcing
```

**#Reverse lookup bruteforce script**

```
for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"

```

**#Reverse Lookup Brute Force:**

```
dnsrecon -d demo.com -t rvl
```

\
\
**DNS Zone Transfers:**

```
host -l domain > $ip $ dnsrecon -d megacorpone.com -t axfr

dnsenum zonetransfer.me
```