> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# DNS Enumeration

> DNS enumeration techniques: zone transfers, subdomain brute-force, reverse lookups with dig, dnsenum, dnsrecon, and fierce.

## Basic Lookups

```bash theme={"dark"}
dig TARGET
dig TARGET A                         # IPv4
dig TARGET AAAA                      # IPv6
dig TARGET MX                        # Mail servers
dig TARGET NS                        # Name servers
dig TARGET TXT                       # TXT records
dig TARGET ANY                       # All records
```

### Specify DNS Server

```bash theme={"dark"}
dig @DNS_SERVER TARGET
nslookup TARGET DNS_SERVER
host TARGET DNS_SERVER
```

***

## Zone Transfer (AXFR)

```bash theme={"dark"}
dig axfr TARGET @DNS_SERVER
dig axfr @DNS_SERVER TARGET
host -l TARGET DNS_SERVER
```

### Find NS First

```bash theme={"dark"}
dig NS TARGET
dig axfr TARGET @ns1.TARGET
```

***

## Reverse Lookup

```bash theme={"dark"}
dig -x 10.10.10.10
nslookup 10.10.10.10
```

### Reverse Brute-Force

```bash theme={"dark"}
for ip in $(seq 1 254); do dig -x 10.10.10.$ip @DNS_SERVER +short; done
dnsrecon -r 10.10.10.0/24 -n DNS_SERVER
```

***

## Subdomain Brute-Force

### dnsenum

```bash theme={"dark"}
dnsenum TARGET
dnsenum --dnsserver DNS_SERVER --enum -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt TARGET
```

### dnsrecon

```bash theme={"dark"}
dnsrecon -d TARGET -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsrecon -d TARGET -t std                # Standard enum
dnsrecon -d TARGET -t axfr               # Zone transfer
```

### fierce

```bash theme={"dark"}
fierce --domain TARGET
fierce --domain TARGET --dns-servers DNS_SERVER
fierce --domain TARGET --subdomain-file wordlist.txt
```

### gobuster

```bash theme={"dark"}
gobuster dns -d TARGET -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
```

### wfuzz

```bash theme={"dark"}
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://TARGET" -H "Host: FUZZ.TARGET" --hc 404
```

***

## DNS Record Types

| Record | Description            |
| ------ | ---------------------- |
| A      | IPv4 address           |
| AAAA   | IPv6 address           |
| CNAME  | Alias                  |
| MX     | Mail server            |
| NS     | Name server            |
| TXT    | Text (SPF, DKIM, etc.) |
| SOA    | Start of Authority     |
| PTR    | Reverse lookup         |
| SRV    | Service location       |

***

## SRV Record Enum

```bash theme={"dark"}
dig SRV _sip._tcp.TARGET
dig SRV _ldap._tcp.TARGET
dig SRV _kerberos._tcp.TARGET
dig SRV _gc._tcp.TARGET
```

***

## /etc/hosts & resolv.conf

```bash theme={"dark"}
# Add custom DNS
echo "10.10.10.10 target.htb" >> /etc/hosts

# Point to target DNS
echo "nameserver 10.10.10.10" > /etc/resolv.conf
```

***

## Quick Reference

| Task            | Command                                   |
| --------------- | ----------------------------------------- |
| Zone transfer   | `dig axfr TARGET @DNS_SERVER`             |
| Subdomain brute | `gobuster dns -d TARGET -w wordlist.txt`  |
| All records     | `dig TARGET ANY`                          |
| Reverse         | `dnsrecon -r 10.10.10.0/24 -n DNS_SERVER` |
| SRV records     | `dig SRV _ldap._tcp.TARGET`               |
