DNS
Enumeration
A # Returns an IPv4 address of the requested domain as a result.
AAAA # Returns an IPv6 address of the requested domain.
MX # Returns the responsible mail servers as a result.
NS # Returns the DNS servers (nameservers) of the domain.
TXT # This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam.
CNAME # This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.
PTR # The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA # Provides information about the corresponding DNS zone and email address of the administrative contact.Local DNS configuration.
/etc/bind/named.conf.local
/etc/bind/named.conf.log
/etc/bind/named.conf.optionsZone files.
/etc/bind/db.qu35t.pwReverse name resolution zone files.
/etc/bind/db.10.10.10.10NS query.
dig ns qu35t.pw @10.10.10.10Version query.
dig CH TXT version.bind 10.10.10.10ANY query.
dig any qu35t.pw @10.10.10.10Zone transfer.
dig axfr qu35t.pw @10.10.10.10Querying PTR records for an IP address.
dig -x 10.10.10.10 @1.1.1.1Querying A records for a subdomain.
nslookup -query=A qu35t.pwQuerying PTR records for an IP address.
nslookup -query=PTR 10.10.10.10for sub in $(cat subdomains-top1million-110000.txt);do dig $sub.qu35t.pw @10.10.10.10 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;donednsenum --dnsserver 10.10.10.10 --enum -p 0 -s 0 -o subdomains.txt -f subdomains-top1million-110000.txt qu35t.pwLast updated