Performing DNS Enumeration and Zone Transfer

When to Use

• Mapping the external attack surface of a target organization during authorized penetration tests
• Discovering hidden subdomains, internal hostnames, and IP addresses exposed via DNS records
• Testing whether DNS servers allow unauthorized zone transfers that leak the entire zone file
• Identifying mail servers, name servers, and service records for further targeted testing
• Validating DNS security configurations including DNSSEC, SPF, DKIM, and DMARC

Do not use against domains you do not have authorization to test, for DNS amplification or reflection attacks, or to overwhelm DNS servers with excessive query volumes.

Prerequisites

• Written authorization to perform DNS enumeration against the target domain
• DNS enumeration tools installed: dig, nslookup, host, dnsrecon, dnsenum, subfinder, amass
• Network access to the target's DNS servers (UDP/TCP port 53)
• Wordlist for subdomain brute-forcing (SecLists dns-wordlist or similar)
• Understanding of DNS record types (A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, PTR)