DNS Recon
| Tool | Feature | Use Cases |
|---|
| dig | versitile | Manual DNS recon |
| nslookup | simple | Basic DNS Queries |
| host | streamlined | Quick checks |
| dnsenum | automated | Discovering subdomains |
| fierce | recursive | User friendly interface. subdomains and potential targets |
| dnsrecon | multi-technique | Comprehensive DNS enumeration |
| theHarvester | OSINT tool grabs from various sorces | email addresses, employee info, other data tied to a domain |
Common Dig Commands
| Command | Description |
|---|
| dig domain.com | Default A record lookup |
| dig domain.com A | Gets IPv4 address |
| dig domain.com AAAA | Gets IPv6 address |
| dig domain.com MX | MX records |
| dig domain.com NS | Name servers for the domain |
| dig domain.com TXT | Any TXT records |
| dig somain.com CNAME | CNAME |
| dig domain.com SOA | SOA record |
| dig @1.1.1.1 domain.com | Specific name server to query |
| dig +trace domain.com | Shows full path of DNS resolution |
| dig +x 192.111.1.1 | Performs reverse lookup on the IP address to find associated host name. Might have to specify a name server |
| dig +short domain.com | provides a short and concise answer to query |
| dig +noall +answer domain.com | Displays only the answer section of the query output |
| dig domain.com ANY | Retrieves all available DNS records for the dns servers |
- Some servers can block DNS queries. Should get permission before performing extensive DNS recon
recon dns