performing-dns-enumeration-and-zone-transfer

# Performing DNS Enumeration and Zone Transfer ## When to Use - Mapping the external attack surface of a target organization during authorized penetration tests - Discovering hidden subdomains, internal hostnames, and IP addresses exposed via DNS records - Testing whether DNS servers allow unauthorized zone transfers that leak the entire zone file - Identifying mail servers, name servers, and service records for further targeted testing - Validating DNS security configurations including DNSSEC, SPF, DKIM, and DMARC **Do not use** against domains you do not have authorization to test, for DNS amplification or reflection attacks, or to overwhelm DNS servers with excessive query volumes. ## Prerequisites - Written authorization to perform DNS enumeration against the target domain - DNS enumeration tools installed: dig, nslookup, host, dnsrecon, dnsenum, subfinder, amass - Network access to the target's DNS servers (UDP/TCP port 53) - Wordlist for subdomain brute-forcing (SecLists dns-wordlist or similar) - Understanding of DNS record types (A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, PTR) ## Workflow ### Step 1: Identify DNS Servers and Basic Records ```bash # Find authoritative name servers dig NS example.com +short # ns1.example.com. # ns2.example.com. # Get SOA record for zone metadata dig SOA example.com +short # ns1.example.com. admin.example.com. 2024031501 3600 900 604800 86400 # Enumerate all common record types dig example.com ANY +noall +answer # Get MX records (...