DNS Enumeration Tutorial — Dig, Nslookup & Host
“What you lack in talent can be made up with desire, hustle and giving 110% all the time.” — Don Zimmer
The first step in Pentesting is to find out the IP address of the target you want to penetrate. This the Recon phase — where the game starts.
That IP address will help you further to enumerate the network as well as the ports/services of the target.
From there on it’s up to you how you want to conduct the Pentesting.
So, use your creativity!
Below you can read my notes that I’ve made from watching DNS Enumeration Tutorial by HackerSploit*:
Definition of DNS
DNS server is a server that resolves hostnames or domains to IP addresses.
For example, if you search for google.com in your browser that query is sent to a DNS server. The DNS server then resolves google.com to its IP address. A request is then sent to that IP address and then the webpage is sent back to your browser.
DNS is responsible for management, maintenance and processing of internet domain names and the associated records.
DNS servers give out name and mail serving info that the domain is responsible for.
What is DNS Enumeration
It’s referred to DNS Interrogation. You’re essentially querying it for various pieces of info — i.e. computer names, IP addresses, mail servers, associated mail servers, and various other DNS records.
For example, when you type in the terminal:
The host tool resolves the domain (instagram.com) to these IP addresses:
- IPv4 address
- IPv6 address
- Additionally, it gives us the mail server
You can also use host filters (flags) to specify the type of info you’re looking for if you don’t want to go through all the info that is displayed by default.
I.e., if you’re looking for a particular name server of instagram.com you type:
From this info you can tell that these name servers are used by Instagram as its DNS providers.
You can also specify to search for mail server:
Host can also be used for reserve lookup.
$ host (IP address of the domain name — in this case instagram.com which you have found in the previous host lookup. See above.)
It’s a very extensive tool.
For example, using nslookup for a simple domain lookup:
To search more extensively:
Dig it’s known as the DNS Swiss army knife.
For example, to use dig for a simple domain lookup:
To check for all the other options just type:
To lookup for IPv6 addresses:
To lookup for CNAME:
To dig for the mail server:
For name server lookup:
You can also shorten your lookup:
You can also do scripting with dig:
$ for ip in $(dig linkedin.com +short);do nmap -sC -sV -Pn $ip; done