DNS Enumeration Tutorial – Dig, Nslookup & Host

DNS Enumeration

What is a DNS server?

A DNS server is a server/computer on the internet the resolves hostnames/domains to IP addresses.

It is responsible for the management, maintenance and the processing of Internet domain names and their associated records.

In essence, DNS servers give out nameserver and mail server information for the domain it is responsible for.


What is DNS enumeration?

DNS enumeration is also referred to as DNS interrogation.

It involves all the techniques that are used to gather as much information as possible from the DNS server. DNS enumeration is the process of locating all the DNS servers and their corresponding records for a domain.

DNS enumeration will yield computer names, and IP addresses and mail servers of particular domains.


Tools we will be using

  • Dig
  • Host
  • Nslookup


Using host

Host is used to determine the IP address a domain resolves to.


  • Host hsploit.com
  • Host -t ns hsploit.com
  • Host -t mx hsploit.com


Using Nslookup

  • Nslookup hsploit.com
  • Nslookup
    • Select ns for nameservers and domain – set type=ns, hsploit.com
    • Select ns for mail servers and domain – set type mx, hsploit.com


Using Dig for DNS Enumeration

Dig is one of the most commonly used tools for DNS enumeration, it is also referred to as the DNS swiss army knife.

Record Types

  • A – The A record holds the IP address associated with the domain
  • AAAA – Holds the IPV6 address for the domain
  • CNAME – (Canonical name record) – Maps one domain to another domain (Very useful)
  • MX – The mx record lists the addresses associated with the mail exchanger
  • PTR – Pointer records which are used in reverse DNS lookups
  • AXFR – Authority for zone transfer – is used to make name server return all the records of a particular domain (This is very useful as we will see in the next videos as it can divulge internal addresses and private subdomains)


Using Dig

  • DomainĀ  Lookup – dig hsploit.com
  • Mail server lookup – dig hsploit.com -t mx
  • Name server lookup – dig hsploit.com -t ns
  • AAAA lookup – dig hsploit.com AAAA
  • CNAME Lookup – dig hsploit.com CNAME


Returning important data only

We use the +short command to return only the important information.

  • Dig hsploit.com mx +short
  • Dig hsploit.com ns +short



Liked it? Take a second to support Alexis on Patreon!
Share this post