Mapping the Domain Name System (DNS)
DNS translates human-readable domain names into IP addresses. Enumerating DNS records reveals critical infrastructure information.
1. nslookup (Name Server Lookup)
- Simple command available on Windows and Linux.
- Used to query DNS records.
2. dig (Domain Information Groper)
- More flexible and robust tool, standard in Linux.
- Allows querying specific record types.
Key DNS Record Types for Recon
| Record Type | Description |
|---|---|
| A Record | Maps a domain name to an IPv4 address. |
| MX Record | Specifies the mail server responsible for accepting email. (Useful for email attacks) |
| NS Record | Defines the authoritative name servers. |
| TXT Record | Used for verification and security (e.g., SPF, DMARC records). |
Example dig command:
bash dig targetdomain.com MX
Zone Transfer Attempt: Occasionally, misconfigured DNS servers might allow a Zone Transfer (AXFR request), which reveals the entire contents of the DNS zone file (all subdomains and IPs). Attackers always check for this.