DNS

Basics

dig axfr $domain_target @$IP_target

Check for subdomains :

IPtarget={IP.ta.rg.et}
DNStarget={DomainName target}
dig axfr $DNStarget @$IPtarget | grep -o "^[a-zA-Z0-9]*.$DNStarget" | tee -a subdomains.htb

More info for query :

dig +trace +additional $DNStarget

---

Host

`for i in $(cat subdomainlist);do host $i | grep "has address" | grep $domain | cut -d" " -f1,4;done`

Hosts file

OS	Path
Windows	C:\Windows\System32\drivers\etc\hosts
Linux	/etc/hosts

Tools

Tool	Usual Command
dig
nslookup
whois
dnsenum	dnsenum --dnsserver $ipscope --enum -p 0 -s 0 -o subdomains.txt -f {wordlist} {domain}
host	for i in $(cat subdomainlist);do host $i | grep "has address" | grep {domain you're looking for} | cut -d" " -f1,4;done
viewdns
securitytrails

Dig

dig $domain {RECORD}
# Specifies a specific name server to query; in this case 1.1.1.1
dig @{IP} $domain 

Options	Description
+trace	show full DNS resolution path
-x {IP}	reverse lookup on said IP
+short	concise query answer
+noall	display only most important info
+answer	display only answer section
ANY	retrieve all DNS records (not exhaustive depending on server response to ANY)

Zone Transfer

Can be done using dig aswell :

dig axfr @DNS_SERVER {domain.com}

Info

Server Type	Description
DNS Root Server	The root servers of the DNS are responsible for the top-level domains (TLD). As the last instance, they are only requested if the name server does not respond. Thus, a root server is a central interface between users and content on the Internet, as it links domain and IP address. The Internet Corporation for Assigned Names and Numbers (ICANN) coordinates the work of the root name servers. There are 13 such root servers around the globe.
Authoritative Nameserver	Authoritative name servers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client’s query, the root name server takes over at that point.
Non-authoritative Nameserver	Non-authoritative name servers are not responsible for a particular DNS zone. Instead, they collect information on specific DNS zones themselves, which is done using recursive or iterative DNS querying.
Caching DNS Server	Caching DNS servers cache information from other name servers for a specified period. The authoritative name server determines the duration of this storage.
Forwarding Server	Forwarding servers perform only one function: they forward DNS queries to another DNS server.
Resolver	Resolvers are not authoritative DNS servers but perform name resolution locally in the computer or router.

Different Records :

Record	Description
A	Point to IPv4
AAAA	Point to IPv6
CNAME	Point to another domain name. You can only put one CNAME in each domain records.
TXT	Generic use. Can be
MX	Indicates the mail server to look for this domain
NS	Returns DNS nameserver of the domain
SOA	Point to authoritative domain