Why DNS?
Every organization runs on domain names. Web servers, mail servers, VPNs, internal tools. They all have DNS records pointing to them.
DNS enumeration maps those records. It turns a single domain name into a list of hosts, IPs, and services.
DNS is often the first active step. It’s low-noise, rarely triggers alerts, and reveals the shape of the target’s infrastructure.
DNS Record Types
Before enumerating, know what you’re looking for:
| Record | Purpose | Example |
|---|---|---|
| A | Domain to IPv4 address | acmecorp.com → 192.168.1.10 |
| AAAA | Domain to IPv6 address | acmecorp.com → 2001:db8::1 |
| MX | Mail server | mail.acmecorp.com |
| NS | Name server (who handles DNS) | ns1.acmecorp.com |
| TXT | Arbitrary text (SPF, DKIM, etc.) | SPF records, verification tokens |
| CNAME | Alias to another domain | www → acmecorp.com |
| PTR | Reverse lookup (IP to domain) | 192.168.1.10 → acmecorp.com |
| SOA | Start of Authority (zone info) | Primary NS, admin email, serial |
Manual Lookups with host
The simplest tool. Query one record type at a time.
host acmecorp.comReturns the default A record. To get specific types:
host -t mx acmecorp.com
host -t ns acmecorp.com
host -t txt acmecorp.comForward Lookups
Resolve a hostname to an IP:
host www.acmecorp.comYou can script this to brute-force subdomains with a wordlist:
for name in $(cat wordlist.txt); do
host $name.acmecorp.com
doneIf the host resolves, that subdomain exists.
Reverse Lookups
Resolve an IP back to a hostname:
host 192.168.50.10Useful when you have an IP range. Sweep it for PTR records:
for ip in $(seq 1 254); do
host 192.168.50.$ip
doneThis often reveals hostnames that weren’t in the forward zone, like internal tools or forgotten services.
Zone Transfers
A zone transfer is a DNS mechanism for replicating records between name servers. If a server is misconfigured, it will hand you the entire zone file. Every record. Every subdomain. Everything.
host -l acmecorp.com ns1.acmecorp.comThe -l flag requests a zone transfer from the specified name server.
A successful zone transfer is a goldmine. You get the complete DNS map without any brute-forcing. Most modern servers block this, but misconfigured ones still exist.
DNSRecon
A purpose-built DNS enumeration tool. More thorough than manual lookups.
Standard enumeration:
dnsrecon -d acmecorp.com -t stdReturns A, AAAA, MX, NS, SOA, TXT records, and attempts a zone transfer.
Brute-force subdomains:
dnsrecon -d acmecorp.com -D wordlist.txt -t brt-Dspecifies the wordlist-t brtsets brute-force mode
DNSRecon is methodical. It tries each name in the wordlist and reports which ones resolve.
DNSEnum
Similar to DNSRecon, but also searches Google for additional subdomains and attempts zone transfers automatically.
dnsenum acmecorp.comIt performs:
- Host and name server lookups
- Zone transfer attempts against every NS record
- Google scraping for subdomains
- Brute-force with a built-in wordlist
Windows DNS Tools
On a Windows machine, nslookup is the built-in DNS tool.
Basic lookup:
nslookup acmecorp.comQuery specific record types:
nslookup -type=mx acmecorp.comInteractive mode lets you switch servers and query types without restarting:
nslookup
> server ns1.acmecorp.com
> set type=any
> acmecorp.comWhen you’re on a compromised Windows host with no tools,
nslookupis your DNS Swiss Army knife.
LLM-Assisted DNS Enumeration
Instead of using generic wordlists for subdomain brute-forcing, you can use an LLM to generate a tailored wordlist based on the target’s industry, structure, and naming conventions.
A well-crafted prompt might ask for:
- Infrastructure terms (api, dev, test, staging, vpn, cdn)
- Departmental terms (hr, sales, support, engineering)
- Regional terms (us, eu, asia, uk)
- Industry-specific terms relevant to the target’s business
Feed the result to Gobuster for fast DNS brute-forcing:
gobuster dns -d acmecorp.com -w wordlist.txt -t 10dnsselects DNS brute-force mode-dsets the target domain-wprovides the custom wordlist-t 10uses 10 threads for speed