This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses.

---

Enumerating Hostname of Server

Run the following commands to see if you can make the server leak its own hostname.

nslookup
server <targetIP>
127.0.0.1
127.0.0.2
<targetIP>

---

Using DNSRecon to enumerate hostnames within the subnet.

We can use dnsrecon to attempt a “brute-force” attack by querying IP addresses for associated reverse lookup records.

-n : Will be the nameserver to use.
-r : Will be the network “range” that you want to lookup records for.
--db : Will save the found records to a SQLite DB file.

dnsrecon -n <ipAddr> -r <subnet> --db target.db

If you are unsure of any information, or even what network(s) to perform the lookup for, you can create a bash script that contains multiple commands. For example, we could create enumdns.sh that contains the following:

dnsrecon -n 10.10.10.83 -r 10.0.0.0/8 --db target.db
dnsrecon -n 10.10.10.83 -r 172.16.0.0/12 --db target.db
dnsrecon -n 10.10.10.83 -r 192.168.0.0/16 --db target.db

Running this script will enumerate all possible internal IPs for associated hostname records.

---

Performing Zone Transfers.

Please see my guide on performing zone transfers.
Performing DNS Zone Transfers & Viewing the Results w/ Aquatone

---

Additional Enumeration Techniques

Update your /etc/resolv.conf file so that you use the target as a DNS server. See what hostnames you can enumerate.