Published on January 22, 2025
DNS translates domain names into IP addresses, making it a key part of internet infrastructure. By querying DNS records, we can uncover valuable host and service information about a target domain. Below we’ll cover essential record types, basic commands, and tools for DNS enumeration.
Each domain may have multiple record types. A (IPv4), AAAA (IPv6), MX (mail servers), NS (authoritative nameservers), and TXT (arbitrary text data) are among the most common. Knowing these helps target what information you might retrieve.
Here’s a quick reference table summarizing some important record types:
| Record Type | Description | Example |
|---|---|---|
| A | Maps a hostname to an IPv4 address | example.com → 93.184.216.34 |
| AAAA | Maps a hostname to an IPv6 address | example.com → 2606:2800:220:1:248:1893:25c8:1946 |
| MX | Specifies mail server(s) for a domain | example.com → mail.example.com |
| NS | Nameserver record showing authoritative DNS servers | example.com → ns1.example.com |
| CNAME | Alias of one name to another | www.example.com → example.com |
| PTR | Pointer record for reverse DNS lookups | 93.184.216.34 → example.com |
| TXT | Arbitrary text; can contain info like SPF, ownership, etc. | example.com → "v=spf1 include:_spf.google.com ..." |
Use the host command to resolve a hostname:
host www.example.com
You can also query specific record types with
host -t <type> example.com. For instance:
host -t mx example.com
host -t txt example.comBy checking a wordlist of potential subdomains (e.g. www, mail, ftp), you can quickly find valid hosts:
for host in $(cat list.txt); do
host $host.example.com
done | grep -v "not found"If you suspect a range of IPs belongs to the same organization, you can perform reverse lookups:
for ip in {200..254}; do
host 192.168.50.$ip
done | grep -v "not found"This finds valid hostnames mapped to each IP in a subnet.
Tools like dnsrecon and dnsenum can simplify everything from standard queries to brute forcing:
# dnsrecon example
dnsrecon -d example.com -t std # Standard lookup
dnsrecon -d example.com -D list.txt -t brt # Brute force
# dnsenum example
dnsenum example.com
On Windows, the nslookup command offers similar control:
nslookup mail.example.com
nslookup -type=TXT info.example.com
Combine nslookup queries with batch or PowerShell scripts
to automate enumeration on Windows.
DNS is a treasure trove of information, making DNS enumeration an essential step in discovery and penetration testing. It often sparks a cycle of follow-up checks—each new domain record can reveal further systems worth investigating.