DNS
Enumeration
A # Returns an IPv4 address of the requested domain as a result.
AAAA # Returns an IPv6 address of the requested domain.
MX # Returns the responsible mail servers as a result.
NS # Returns the DNS servers (nameservers) of the domain.
TXT # This record can contain various information. The all-rounder can be used, e.g., to validate the Google Search Console or validate SSL certificates. In addition, SPF and DMARC entries are set to validate mail traffic and protect it from spam.
CNAME # This record serves as an alias. If the domain www.hackthebox.eu should point to the same IP, and we create an A record for one and a CNAME record for the other.
PTR # The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
SOA # Provides information about the corresponding DNS zone and email address of the administrative contact.
Local DNS configuration.
/etc/bind/named.conf.local
/etc/bind/named.conf.log
/etc/bind/named.conf.options
Zone files.
/etc/bind/db.qu35t.pw
Reverse name resolution zone files.
/etc/bind/db.10.10.10.10
NS query.
dig ns qu35t.pw @10.10.10.10
Version query.
dig CH TXT version.bind 10.10.10.10
ANY query.
dig any qu35t.pw @10.10.10.10
Zone transfer.
dig axfr qu35t.pw @10.10.10.10
Querying PTR records for an IP address.
dig -x 10.10.10.10 @1.1.1.1
Querying A records for a subdomain.
nslookup -query=A qu35t.pw
Querying PTR records for an IP address.
nslookup -query=PTR 10.10.10.10
for sub in $(cat subdomains-top1million-110000.txt);do dig $sub.qu35t.pw @10.10.10.10 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
dnsenum --dnsserver 10.10.10.10 --enum -p 0 -s 0 -o subdomains.txt -f subdomains-top1million-110000.txt qu35t.pw
Last updated