The Domain Name System is crucial for human interaction with networks. Gathering information about a target is critical to performing a successful penetration test, and the DNS service is one of the key sources of this information. Today, I want to write about the different types of information that can be discovered by probing this service using a mix of command line tools and web resources. There are many tools available to interact with DNS, but today I’m going to cover the use of nslookup, host, and *dig *on the command line, and the netcraft website.
As with most things related to pen-testing, there are many different ways to enumerate the subdomains of your target. One promising tool I’ve been playing with recently is Recon-Ng. I won’t be at all surprised if recon-ng becomes as popular for the reconnaissance phase of a pen-test as metasploit has become for the exploit phase. Today, though, I want to talk about a fun method I used a few weeks ago to find out more about the subdomains of my target. But first, here are some completely passive methods of enumerating subdomains.