This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses.
Enumerating Hostname of Server
Run the following commands to see if you can make the server leak its own hostname.
nslookup
server <targetIP>
127.0.0.1
127.0.0.2<targetIP>
Using DNSRecon to enumerate hostnames within the subnet.
We can use dnsrecon to attempt a “brute-force” attack by querying IP addresses for associated reverse lookup records.
-n
: Will be the nameserver to use. -r
: Will be the network “range” that you want to lookup records for.--db
: Will save the found records to a SQLite DB file.
dnsrecon -n <ipAddr> -r <subnet> --db target.db
If you are unsure of any information, or even what network(s) to perform the lookup for, you can create a bash script that contains multiple commands. For example, we could create enumdns.sh that contains the following:
dnsrecon -n 10.10.10.83 -r 10.0.0.0/8 --db target.db
dnsrecon -n 10.10.10.83 -r 172.16.0.0/12 --db target.db
dnsrecon -n 10.10.10.83 -r 192.168.0.0/16 --db target.db
Running this script will enumerate all possible internal IPs for associated hostname records.
Performing Zone Transfers.
Please see my guide on performing zone transfers.
Performing DNS Zone Transfers & Viewing the Results w/ Aquatone
Additional Enumeration Techniques
Update your /etc/resolv.conf file so that you use the target as a DNS server. See what hostnames you can enumerate.