DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems. There are a lot of tools that can be used to gain information for performing DNS enumeration. The examples of tool that can be used for DNS enumeration are NSlookup, DNSstuff, American Registry for Internet Numbers (ARIN), and Whois. To enumerate DNS, you must have understanding about DNS and how it works.
You must have knowledge about DNS records. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses. In these domain servers, different record types are used for different purposes. The following list describes the common DNS record types and their use:
DNS Record types
Address record, Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc.
Canonical name record, Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.
IPv6 address record, Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
Mail exchange record, Maps a domain name to a list of message transfer agents for that domain
Name server record, Delegates a DNS zone to use the given authoritative name servers
zone of] authority record, Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
Sender Policy Framework, a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.
Text record, Originally for arbitrary human-readable text in a DNS record.
Pointer record, Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.
Service locator, Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
Next Secure record, Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record.
Authoritative Zone Transfer, Transfer entire zone file from the master name server to secondary name servers. DNS Zone Transfer is typically used to replicate DNS data across a number of DNS servers, or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server.‖ If the name server allows zone transfers to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.
Incremental Zone Transfer, Transfer entire zone file from the master name server to secondary name servers.
Check if nameserver enable wildcard query, or dns faked.
bruteforce subdomains with wordlists.
reverse ip for domain
bruteforce srv records
bruteforce gtld records
bruteforce tld records
Spider domains from Google pages with domain:demo.com
Spider domains from Bing pages with domain:demo.com
Spider domains from Yahoo with domain:demo.com
Spider domains from Baidu with domain:demo.com
Spider domains from netcraft searchdns pages
Spider domain from github pages
Search domains from Shodan
Search domains from censys
Search domains from ZoomEye
Spider default page
Scan default pages and spider domains
Scan domains certificates
Search domains with baidu
Search domains with bing api
Search domains from bing web pages.
Search domains with google api
Search domains from google web pages.
Search domains from netcraft pages.
dnsrecon -n 188.8.131.52 -d demo.com
Pleaes use a valid dns server in order to avoid dns fake.
dnsrecon -d demo.com -t std
SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail.