0) What is DNS?
The Domain Name System (DNS) maps human-friendly domain names to IP addresses and provides other resource records (MX, TXT, NS, SOA, etc.). It typically runs on UDP/TCP port 53. DNS is critical infrastructure — misconfigurations (open zone transfers, recursive resolvers, weak DNSSEC) or protocol misuse (tunneling) can expose internal hosts, enable data exfiltration, or enable spoofing and phishing.
1) Recon Phase
- Discover DNS servers: nmap -sU -p 53 --script=dns-nsid,dns-recursion- Identify authoritative nameservers (NS records): dig NS @ - Check public records: dig ANY, dig SOA, dig AXFR (zone transfer attempt) - Passive recon: search public sources for subdomains (crt.sh, Certificate Transparency, DNSDumpster)
Start by identifying which servers answer for a domain (authoritative vs recursive). Record NS and SOA details to target later enumeration (AXFR attempts, zone walking).
2) Enumeration Phase
- Zone transfer (AXFR): dig @AXFR - Enumerate records: dig A, AAAA, MX, TXT, SRV, PTR - DNS bruteforce/subdomain discovery: amass enum, subfinder, assetfinder, dnsenum - Zone walking on NSEC/NSEC3 when DNSSEC is misconfigured - Check for DNS recursion/open resolvers: dig @ whoami.akamai.net TXT - Use nmap NSE: nmap -sU -p 53 --script=dns-zone-transfer,dns-recursion,dns-nsec-enum
Look for subdomains, internal hostnames, mail server (MX) targets, SPF/TXT data (which can leak infrastructure), and any zone transfer that returns full DNS data.
3) Exploitation Phase
- If AXFR succeeds: download zone data and harvest internal hostnames, IPs, mail servers, and keys
- Misconfigured recursion: abuse open resolver for reflection/amplification DDoS or cache poisoning attempts (authorized testing only)
- DNS cache poisoning and spoofing (protocol-level weaknesses + race conditions)
- DNS tunneling (data exfiltration/persistence): test with iodine, dnscat2, dns2tcp (use only in authorized labs)
- Harvest TXT/SPF/DMARC to discover internal services and credentials
Prioritize extracting hostnames and credentials referenced in DNS records. Zone transfers reveal internal structure; DNS tunneling may indicate existing exfil channels.
DNS Info — What to Look For
- Successful AXFR (zone transfer) from authoritative NS
- Open/recursive resolvers that answer for third-party queries
- Exposed internal hostnames and private IPs in DNS records
- TXT records leaking configuration or API keys (spfa, verification tokens)
- DNSSEC misconfigurations (NSEC/NSEC3 zone walking)
- Evidence of DNS tunneling (suspicious long/encoded subdomains)
Tools required
sudo apt install dnsutils nmap dnsrecon dnsenum amass subfinder massdns
# Optional / advanced:
# - fierce (legacy DNS scanner)
# - dnscat2 / iodine / dns2tcp (DNS tunnel testing - authorized use only)
# - whois, curl, jq for parsing public data
Quick copy-paste command cheatsheet
# basic discovery nmap -sU -p 53 --script=dns-recursion,dns-nsid# authoritative nameservers dig NS # zone transfer (AXFR) dig @ AXFR # list records dig A dig MX dig TXT # nmap NSE zone transfer + DNS scripts nmap -sU -p 53 --script=dns-zone-transfer,dns-recursion,dns-nsec-enum # subdomain enum amass enum -d subfinder -d -silent # brute / wordlist dnsenum --dnsserver # check for DNS tunneling indicators (look for very long/encoded subdomains) # run mass subdomain discovery and inspect results for long labels
Citations
Disclaimer: Use these techniques only on systems and domains you own or are explicitly authorized to test. DNS attacks, unauthorized zone transfers, spoofing, tunneling, or poisoning are illegal and unethical when performed without permission.