Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Service Detection
nmap -sV -sC -p 53 TARGET
nmap -sU -p 53 TARGET
Zone Transfer (AXFR)
Full dump of all DNS records. Often misconfigured.
dig axfr @TARGET domain.com
host -t axfr domain.com TARGET
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=domain.com TARGET
Enumeration
A Record
dig @TARGET domain.com A
host domain.com TARGET
MX Record
dig @TARGET domain.com MX
NS Record
dig @TARGET domain.com NS
TXT Record (SPF, DKIM)
dig @TARGET domain.com TXT
Any Record
dig @TARGET domain.com ANY
Reverse Lookup
dig @TARGET -x 10.10.10.5
Reverse Lookup Sweep
for i in $(seq 1 254); do dig @TARGET -x 10.10.10.$i +short; done
Subdomain Brute-Force
dig
for sub in $(cat subdomains.txt); do dig @TARGET $sub.domain.com +short; done
dnsenum
dnsenum --dnsserver TARGET domain.com
dnsrecon
dnsrecon -d domain.com -n TARGET -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster
gobuster dns -d domain.com -r TARGET:53 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
DNS Cache Snooping
Check if domain was recently resolved (reveals internal browsing):
dig @TARGET google.com +norecurse
Useful Records to Check
dig @TARGET _gc._tcp.domain.com SRV # Global catalog
dig @TARGET _ldap._tcp.domain.com SRV # LDAP
dig @TARGET _kerberos._tcp.domain.com SRV # Kerberos
dig @TARGET _kpasswd._tcp.domain.com SRV # Kerberos password
Quick Reference
| Check | Command |
|---|
| Zone transfer | dig axfr @TARGET domain.com |
| All records | dig @TARGET domain.com ANY |
| Subdomain brute | gobuster dns -d domain.com -r TARGET:53 -w list.txt |
| Reverse lookup | dig @TARGET -x IP |
| Enum | dnsenum --dnsserver TARGET domain.com |