How-to-gather-dns-information.md

Authors: < nixawk >

---

How to gather dns information ?

If you want to known how to gather dns information, please read Wikipedia - List of DNS record types first.

idns - passive mode	methods	description
dns query	A	Address record, Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc.
dns query	CNAME	Canonical name record, Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.
dns query	AAAA	IPv6 address record, Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
dns query	MX	Mail exchange record, Maps a domain name to a list of message transfer agents for that domain
dns query	NS	Name server record, Delegates a DNS zone to use the given authoritative name servers
dns query	SOA	zone of] authority record, Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
dns query	SPF	Sender Policy Framework, a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.
dns query	TXT	Text record, Originally for arbitrary human-readable text in a DNS record.
dns query	PTR	Pointer record, Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.
dns query	SRV	Service locator, Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
dns query	NSEC	Next Secure record, Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record.
dns query	AXFR	Authoritative Zone Transfer, Transfer entire zone file from the master name server to secondary name servers.
dns query	IXFR	Incremental Zone Transfer, Transfer entire zone file from the master name server to secondary name servers.
dns query	DNS Wildcard	Check if nameserver enable wildcard query, or dns faked.
dns query	domain bruteforce	bruteforce subdomains with wordlists.
dns query	reverse bruteforce	reverse ip for domain
dns query	srv bruteforce	bruteforce srv records
dns query	gtld bruteforce	bruteforce gtld records
dns query	tld bruteforce	bruteforce tld records
OSInt	Google	Spider domains from Google pages with domain:demo.com
OSInt	Bing	Spider domains from Bing pages with domain:demo.com
OSInt	Yahoo	Spider domains from Yahoo with domain:demo.com
OSInt	Baidu	Spider domains from Baidu with domain:demo.com
OSInt	Netcraft	Spider domains from netcraft searchdns pages
OSInt	Github	Spider domain from github pages
OSInt	Shodan	Search domains from Shodan
OSInt	Censys	Search domains from censys
OSInt	ZoomEye	Search domains from ZoomEye
idns - offensive mode	methods	description
Websites	Spider default page	Scan default pages and spider domains
Websites	Certificates	Scan domains certificates

recon-ng Command	Description
use recon/domains-hosts/baidu_site	Search domains with baidu
use recon/domains-hosts/bing_domain_api	Search domains with bing api
use recon/domains-hosts/bing_domain_web	Search domains from bing web pages.
use recon/domains-hosts/brute_hosts	Bruteforce subdomains
use recon/domains-hosts/google_site_api	Search domains with google api
use recon/domains-hosts/google_site_web	Search domains from google web pages.
use recon/domains-hosts/netcraft	Search domains from netcraft pages.

dnsrecon Command	Description
dnsrecon -n 8.8.8.8 -d demo.com	Pleaes use a valid dns server in order to avoid dns fake.
dnsrecon -d demo.com -t std	SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail.
dnsrecon -d demo.com -t rvl	Reverse lookup of a given CIDR or IP range.
dnsrecon -d demo.com -t brt -D /path/to/subdomains.wd	Brute force domains and hosts using a given dictionary.
dnsrecon -d demo.com -t brt -D /path/to/subdomains.wd --iw	Brute force domains and hosts using a given dictionary. Continue brute forcing a domain even if a wildcard records are discovered.
dnsrecon -d demo.com -t srv	SRV records
dnsrecon -d demo.com -t axfr	Test all NS servers for a zone transfer.
dnsrecon -d demo.com -t goo	Perform Google search for subdomains and hosts.
dnsrecon -d demo.com -t tld	Remove the TLD of given domain and test against all TLDs registered in IANA.
dnsrecon -d demo.com -t zonewalk	Perform a DNSSEC zone walk using NSEC records.
dnsrecon -d demo.com --db /path/to/results.sqlite	Save results in a sqlite file.
dnsrecon -d demo.com --xml /path/to/results.xml	Save results in a xml file.
dnsrecon -d demo.com -c /path/to/results.csv	Save results in a csv file.
dnsrecon -d demo.com -j /path/to/results.json	Save results in a json file.

theHarvester Command	Description
theharvester -d demo.com -b all	Search google, googleCSE, bing, bingapi, pgp, linkedin,google-profiles, jigsaw, twitter, googleplus, all
theharvester -d demo.com -n	Perform a DNS reverse query on all ranges discovered
theharvester -d demo.com -c	Perform a DNS brute force for the domain name
theharvester -d demo.com -t	Perform a DNS TLD expansion discovery
theharvester -d demo.com -e 8.8.8.8	Specfic a dns server
theharvester -d demo.com -h	use SHODAN database to query discovered hosts

Metasploit Command	Description
msf > use auxiliary/gather/enum_dns	gahter dns records information(A, AAAA, CNAME, ZoneTransfer, SRV, TLD, RVL, ...)

Links

1. https://en.wikipedia.org/wiki/List_of_DNS_record_types