Port 53 DNS


DNS Enumeration


find the nameserver of a domain

dig ns zonetransfer.me

Now try the zone transfer for the domain from its primary and secondary name servers

dig axfr zonetransfer.me @nsztm2.digi.ninja


Host provides a simple way to perform DNS lookups and retrieve DNS records.

host zonetransfer.me

zone transfer

host -t ns zonetransfer.me
host –l  zonetransfer.me nsztm2.digi.ninja


fire up the tool on windows

set querytype=ns
server nsztm2.digi.ninja

Now execute the zone transfer

ls -d nsztm2.digi.ninja

Zone transfer using DNSSEC transfer

./dnsrecon.py -d zonetransfer.me -z

-d target domain

-z DNSSEC Zone walk

Zone transfer

dnsrecon –d zonetransfer.me –t axfr

Other tools

DNSenum (automated tool very good)

dnsenum zonetransfer.me

Fierce (supports bruteforcing)

fierce zonetransfer.me
fierce --domain  zonetransfer.me --subdomain-file /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt 
dnsmap zonetransfer.me -w /usr/share/wordlist/Seclists/discovery/DNS/fierce-hostlists.txt

DNS Enumeration using nmap

nmap --script=broadcast-dns-service-discovery zonetransfer.me

DNS brute forcing

nmap -T5 -p 53 --script dns-brute zonetransfer.me

common service records

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='zonetransfer.me'"

Last updated