🛡️ Methodology Checklist
- NS record lookup:
nslookup -type=NS [DOMAIN] - MX record lookup:
nslookup -type=MX [DOMAIN] - A/AAAA records:
nslookup [DOMAIN] [NS_SERVER] - Attempt zone transfer:
dig axfr [DOMAIN] @[NS_SERVER] - Subdomain brute-force:
fierce,dnsx,gobuster dns - Reverse DNS sweep:
dig -x [IP]for interesting PTR records - DNSSEC check:
dig DNSKEY [DOMAIN] - Document all discovered subdomains and IPs
🎯 Operational Context
Think Dumber First: Attempt zone transfer against ALL NS servers before doing anything else. Many admins restrict the primary but forget the secondary. One successful AXFR hands you the entire internal IP map, naming conventions, and host inventory without a single active probe against targets.
When you land here: Port 53 is open (TCP and/or UDP). Run dig NS [DOMAIN] to enumerate all authoritative servers, then attempt AXFR against each. If AXFR fails everywhere, fall back to subdomain brute-force with gobuster/dnsx.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
dig ns [DOMAIN] @[TARGET_IP] | Query authoritative nameservers |
dig CH TXT version.bind [TARGET_IP] | Query DNS server version (CHAOS class) |
dig any [DOMAIN] @[TARGET_IP] | Dump all DNS records the server will disclose |
dig axfr [DOMAIN] @[TARGET_IP] | Zone transfer — dump entire zone file |
dig axfr [INTERNAL_DOMAIN] @[TARGET_IP] | Zone transfer on internal/sub-zones |
for sub in $(cat /path/to/subdomains.txt);do dig $sub.[DOMAIN] @[TARGET_IP] | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a found_subdomains.txt;done | Subdomain brute-force via bash loop |
dnsenum --dnsserver [TARGET_IP] --enum -p 0 -s 0 -o subdomains.txt -f wordlist.txt [DOMAIN] | Automated DNS enumeration with DNSenum |
🔬 Deep Dive & Workflow
Initial Enumeration
- Identify nameservers:
dig ns [DOMAIN] @[TARGET_IP] - Attempt version disclosure:
dig CH TXT version.bind [TARGET_IP] - Query all records:
dig any [DOMAIN] @[TARGET_IP] - Attempt zone transfer:
dig axfr [DOMAIN] @[TARGET_IP]- If internal zone found (e.g.,
internal.[DOMAIN]) → attempt AXFR on it too
- If internal zone found (e.g.,
- If AXFR fails → subdomain brute-force with wordlist
Attacks
- Zone transfer (
axfr) — if misconfiguredallow-transfer = any, dumps all hostnames and IPs - Subdomain brute-force → find hidden internal services
- DNS version disclosure → match version to known CVEs
- Cache poisoning (if recursive queries allowed from external)
- Check
allow-recursionsetting — if unrestricted, server usable as DNS amplifier
Core Concept
DNS resolves hostnames to IP addresses. Acts as a distributed database (13 global root servers coordinated by ICANN).
Security: DNS is unencrypted by default — local eavesdropping is possible. Encryption methods: DoT (DNS over TLS), DoH (DNS over HTTPS), DNSCrypt.
DNS Server Types
| Type | Description |
|---|---|
| Root Server | Responsible for TLDs — 13 global root servers |
| Authoritative | Holds binding authority for a zone |
| Non-authoritative | Collects zone info via recursive/iterative queries |
| Caching | Caches responses per TTL |
| Forwarding | Forwards all queries to another server |
| Resolver | Local name resolution on computer/router |
DNS Record Types
| Record | Description |
|---|---|
| A | IPv4 address |
| AAAA | IPv6 address |
| MX | Mail server |
| NS | Nameservers |
| TXT | Text records (SPF, DMARC, verification codes) |
| CNAME | Alias — maps www to apex domain |
| PTR | Reverse lookup (IP → hostname) |
| SOA | Zone admin email and management info |
Dangerous Bind9 Settings
| Option | Risk |
|---|---|
allow-transfer = any | Zone transfer to anyone → full zone dump |
allow-query = any | Unrestricted queries |
allow-recursion = any | DNS amplification attack surface |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| AXFR refused on all NS servers | Zone transfer IP-restricted on all servers | Try host -l [DOMAIN] [NS_IP] as an alternative AXFR method; query each NS individually; try from different source IPs |
dig times out, no response | UDP/53 blocked; DNS only running on TCP | Force TCP: dig +tcp @[TARGET] [DOMAIN] axfr; confirm TCP/53 open: nmap -p 53 -sT [TARGET] |
| Subdomain brute-force returns all results as valid | Wildcard DNS active | Test with dig randomgarbage123.[DOMAIN]; if it resolves, add -fw flag to gobuster to filter wildcards |
| Zone transfer works but output is garbled/truncated | Large zone record set exceeds UDP packet size | Always use TCP for AXFR: dig axfr [DOMAIN] @[NS] +tcp; pipe output to file immediately |
dig ANY returns minimal records | Modern DNS servers restrict ANY queries | Query by type individually: dig A, dig MX, dig TXT, dig AAAA against target NS |
📝 Reporting Trigger
Finding Title: DNS Zone Transfer Misconfiguration (AXFR Unrestricted)
Impact: Complete internal DNS zone disclosure — all hostnames, IP addresses, and subnet structure enumerable without authentication. Eliminates need for active host discovery.
Root Cause: DNS server allow-transfer not configured; AXFR requests accepted from any source IP.
Recommendation: Restrict zone transfers to authorized secondary DNS IPs only: allow-transfer { [SECONDARY_IP]; }; in BIND named.conf. Implement TSIG key authentication for zone transfers. Disable AXFR entirely if no secondary DNS replication is needed.