Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Basic Lookups
dig TARGET
dig TARGET A # IPv4
dig TARGET AAAA # IPv6
dig TARGET MX # Mail servers
dig TARGET NS # Name servers
dig TARGET TXT # TXT records
dig TARGET ANY # All records
Specify DNS Server
dig @DNS_SERVER TARGET
nslookup TARGET DNS_SERVER
host TARGET DNS_SERVER
Zone Transfer (AXFR)
dig axfr TARGET @DNS_SERVER
dig axfr @DNS_SERVER TARGET
host -l TARGET DNS_SERVER
Find NS First
dig NS TARGET
dig axfr TARGET @ns1.TARGET
Reverse Lookup
dig -x 10.10.10.10
nslookup 10.10.10.10
Reverse Brute-Force
for ip in $(seq 1 254); do dig -x 10.10.10.$ip @DNS_SERVER +short; done
dnsrecon -r 10.10.10.0/24 -n DNS_SERVER
Subdomain Brute-Force
dnsenum
dnsenum TARGET
dnsenum --dnsserver DNS_SERVER --enum -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt TARGET
dnsrecon
dnsrecon -d TARGET -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsrecon -d TARGET -t std # Standard enum
dnsrecon -d TARGET -t axfr # Zone transfer
fierce
fierce --domain TARGET
fierce --domain TARGET --dns-servers DNS_SERVER
fierce --domain TARGET --subdomain-file wordlist.txt
gobuster
gobuster dns -d TARGET -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
wfuzz
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://TARGET" -H "Host: FUZZ.TARGET" --hc 404
DNS Record Types
| Record | Description |
|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| CNAME | Alias |
| MX | Mail server |
| NS | Name server |
| TXT | Text (SPF, DKIM, etc.) |
| SOA | Start of Authority |
| PTR | Reverse lookup |
| SRV | Service location |
SRV Record Enum
dig SRV _sip._tcp.TARGET
dig SRV _ldap._tcp.TARGET
dig SRV _kerberos._tcp.TARGET
dig SRV _gc._tcp.TARGET
/etc/hosts & resolv.conf
# Add custom DNS
echo "10.10.10.10 target.htb" >> /etc/hosts
# Point to target DNS
echo "nameserver 10.10.10.10" > /etc/resolv.conf
Quick Reference
| Task | Command |
|---|
| Zone transfer | dig axfr TARGET @DNS_SERVER |
| Subdomain brute | gobuster dns -d TARGET -w wordlist.txt |
| All records | dig TARGET ANY |
| Reverse | dnsrecon -r 10.10.10.0/24 -n DNS_SERVER |
| SRV records | dig SRV _ldap._tcp.TARGET |