DNS enumeration is the foundation of every serious reconnaissance workflow. Before you probe a single port, a thorough DNS investigation reveals the full scope of an organisation's infrastructure — including assets they've forgotten about. This guide covers passive and active techniques used by top bug bounty hunters and red teamers.

DNS Record Types — What to Look For

53/UDPPrimary Port

AXFRHighest Impact

sublist3rTop Tool

CT LogsPassive Source

flowchart TD Target["Target Domain example.com"] --> Passive["Passive Recon"] Target --> Active["Active Enumeration"] Passive --> CTLogs["Certificate Transparency crt.sh, censys.io"] Passive --> OSINT["Shodan, SecurityTrails DNSdumpster"] Active --> ZoneTransfer["Zone Transfer Attempt dig AXFR @ns1.example.com"] Active --> Brute["Subdomain Bruteforce amass, subfinder, sublist3r"] Active --> Reverse["Reverse DNS for IP ranges"] ZoneTransfer -->|"If allowed (misconfigured)"| AllRecords["ALL DNS records exposed!"] Brute --> Discovered["New subdomains"] CTLogs --> Discovered Discovered --> PortScan["Port scan discovered subdomains"] PortScan --> Takeover["Check for subdomain takeover (CNAME to dead service)"]

A / AAAA — Maps hostname to IPv4/IPv6. Primary target for IP discovery.
CNAME — Canonical name alias. Often reveals internal service names, CDN usage, or dangling subdomains (subdomain takeover).
MX — Mail servers. Reveals email providers, on-prem mail infra, and third-party services.
TXT — Arbitrary text. Contains SPF, DKIM, DMARC records, domain verification tokens (Google, AWS, etc.), and sometimes leaked internal info.
NS — Authoritative nameservers. Misconfigured NS can allow zone transfers.
SOA — Zone authority info including primary nameserver and admin email.
SRV — Service location records. Reveals internal services like SIP, LDAP, XMPP.
PTR — Reverse DNS. Maps IP back to hostname.

Basic DNS Queries

# Query all record types
dig target.com ANY +short

# Specific record types
dig target.com A +short
dig target.com MX +short
dig target.com TXT +short
dig target.com NS +short

# Query a specific nameserver
dig @8.8.8.8 target.com A

# Reverse DNS lookup
dig -x 93.184.216.34 +short

# Using host command
host -a target.com
host -t MX target.com

Zone Transfer Exploitation (AXFR)

A zone transfer copies the entire DNS zone to another server. When misconfigured to allow transfers from any source, attackers receive every subdomain in one request.

# Find authoritative nameservers first
dig target.com NS +short
# Returns: ns1.target.com, ns2.target.com

# Attempt zone transfer on each nameserver
dig @ns1.target.com target.com AXFR
dig @ns2.target.com target.com AXFR

# Using host
host -l target.com ns1.target.com

# Using nmap
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=target.com TARGET-NS-IP

# Using dnsrecon
dnsrecon -d target.com -t axfr

Successful zone transfers are rare on modern infrastructure but extremely common on legacy systems and internal DNS servers during internal assessments.

Certificate Transparency Logs

Certificate Transparency (CT) logs record every TLS certificate issued. Every subdomain that has ever had a certificate is permanently logged — a gold mine for passive recon.

# crt.sh — search CT logs via web API
curl -s "https://crt.sh/?q=%25.target.com&output=json" |   python3 -c "import json,sys; data=json.load(sys.stdin);   [print(d['name_value']) for d in data]" | sort -u

# Parse out unique subdomains
curl -s "https://crt.sh/?q=%25.target.com&output=json" |   python3 -c "import json,sys; [print(n) for d in json.load(sys.stdin)   for n in d['name_value'].split('
')]" | sed 's/\*\.//g' | sort -u > ct_subdomains.txt

# Censys API (requires free account)
censys search 'parsed.names: target.com' --index certificates   --fields 'parsed.names' --format json |   python3 -c "import json,sys; [print(n) for d in [json.loads(l) for l in sys.stdin]   for n in d.get('parsed.names',[])]" | grep target.com | sort -u

Active Subdomain Brute Forcing

# ffuf — fast web fuzzer, excellent for DNS brute force
ffuf -u http://FUZZ.target.com -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt   -mc 200,301,302,401,403 -t 100 -o subdomains.json

# Use DNS mode for more accurate results
ffuf -u FUZZ.target.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt   -mode dns -t 50

# Amass — comprehensive subdomain enumeration
amass enum -d target.com -passive -o amass_passive.txt
amass enum -d target.com -active -o amass_active.txt -config amass_config.ini

# subfinder — fast passive enumeration
subfinder -d target.com -o subfinder.txt -all -recursive

# Combined workflow
subfinder -d target.com -silent |   httpx -silent -status-code -title -tech-detect -o live_subdomains.txt

Passive DNS Sources

# SecurityTrails API
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains"   -H "APIKEY: YOUR_API_KEY" | python3 -m json.tool

# Shodan subdomain search
shodan domain target.com

# VirusTotal passive DNS
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=APIKEY&domain=target.com" |   python3 -c "import json,sys; d=json.load(sys.stdin);   [print(s) for s in d.get('subdomains',[])]"

# DNSDB (Farsight) — passive DNS database
curl -s "https://api.dnsdb.info/lookup/rrset/name/*.target.com/A"   -H "X-API-Key: APIKEY" | jq -r '.rrname'

DNS Wildcard Detection

# Test for wildcard DNS (nonexistent subdomains that resolve)
dig randomstring12345.target.com A +short
# If this returns an IP, wildcards are configured

# Filter wildcards from brute force results
# dnsrecon handles this automatically
dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt

# Manual: compare brute-force IPs against wildcard IP
WILDCARD_IP=$(dig randomstring12345.target.com A +short)
# Filter out any results matching $WILDCARD_IP

DNS-Based SSRF

DNS can be used to detect SSRF vulnerabilities using Out-of-Band (OOB) techniques:

# Use Burp Collaborator, interactsh, or your own DNS server
# Set a parameter to: http://YOUR-COLLABORATOR-DOMAIN.com

# interactsh — self-hosted OOB platform
# Start server
interactsh-server -domain oob.yourdomain.com

# Use client-generated URLs in SSRF payloads
interactsh-client -v
# Provides: abc123.oob.yourdomain.com
# Any DNS lookup or HTTP request to this domain is logged

Cloud Resource Discovery via DNS

# Find S3 buckets via subdomain enumeration (often s3., files., assets.)
# Check CNAME records for cloud services
dig assets.target.com CNAME +short
# "target-assets.s3.amazonaws.com" = S3 bucket

# Azure Blob Storage discovery
dig files.target.com CNAME +short
# "storageaccount.blob.core.windows.net"

# Find abandoned/dangling CNAMEs (subdomain takeover candidates)
# Resolve all subdomains, check for NXDOMAIN on the CNAME target
for sub in $(cat subdomains.txt); do
  cname=$(dig $sub.target.com CNAME +short)
  if [ ! -z "$cname" ]; then
    host $cname | grep "NXDOMAIN" && echo "POTENTIAL TAKEOVER: $sub -> $cname"
  fi
done

The Recon Hub provides an integrated workflow for DNS enumeration, certificate transparency, and passive source aggregation. After subdomain discovery, use the Network Recon Tool to port-scan discovered hosts. Cloud subdomains often reveal misconfigured S3 buckets — combine with AWS Penetration Testing techniques.

DNS Record Types — What to Look For

53/UDPPrimary Port

AXFRHighest Impact

sublist3rTop Tool

CT LogsPassive Source

A / AAAA — Maps hostname to IPv4/IPv6. Primary target for IP discovery.
CNAME — Canonical name alias. Often reveals internal service names, CDN usage, or dangling subdomains (subdomain takeover).
MX — Mail servers. Reveals email providers, on-prem mail infra, and third-party services.
TXT — Arbitrary text. Contains SPF, DKIM, DMARC records, domain verification tokens (Google, AWS, etc.), and sometimes leaked internal info.
NS — Authoritative nameservers. Misconfigured NS can allow zone transfers.
SOA — Zone authority info including primary nameserver and admin email.
SRV — Service location records. Reveals internal services like SIP, LDAP, XMPP.
PTR — Reverse DNS. Maps IP back to hostname.

Basic DNS Queries

# Query all record types
dig target.com ANY +short

# Specific record types
dig target.com A +short
dig target.com MX +short
dig target.com TXT +short
dig target.com NS +short

# Query a specific nameserver
dig @8.8.8.8 target.com A

# Reverse DNS lookup
dig -x 93.184.216.34 +short

# Using host command
host -a target.com
host -t MX target.com

Zone Transfer Exploitation (AXFR)

A zone transfer copies the entire DNS zone to another server. When misconfigured to allow transfers from any source, attackers receive every subdomain in one request.

# Find authoritative nameservers first
dig target.com NS +short
# Returns: ns1.target.com, ns2.target.com

# Attempt zone transfer on each nameserver
dig @ns1.target.com target.com AXFR
dig @ns2.target.com target.com AXFR

# Using host
host -l target.com ns1.target.com

# Using nmap
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=target.com TARGET-NS-IP

# Using dnsrecon
dnsrecon -d target.com -t axfr

Successful zone transfers are rare on modern infrastructure but extremely common on legacy systems and internal DNS servers during internal assessments.

Certificate Transparency Logs

Certificate Transparency (CT) logs record every TLS certificate issued. Every subdomain that has ever had a certificate is permanently logged — a gold mine for passive recon.

# crt.sh — search CT logs via web API
curl -s "https://crt.sh/?q=%25.target.com&output=json" |   python3 -c "import json,sys; data=json.load(sys.stdin);   [print(d['name_value']) for d in data]" | sort -u

# Parse out unique subdomains
curl -s "https://crt.sh/?q=%25.target.com&output=json" |   python3 -c "import json,sys; [print(n) for d in json.load(sys.stdin)   for n in d['name_value'].split('
')]" | sed 's/\*\.//g' | sort -u > ct_subdomains.txt

# Censys API (requires free account)
censys search 'parsed.names: target.com' --index certificates   --fields 'parsed.names' --format json |   python3 -c "import json,sys; [print(n) for d in [json.loads(l) for l in sys.stdin]   for n in d.get('parsed.names',[])]" | grep target.com | sort -u

Active Subdomain Brute Forcing

# ffuf — fast web fuzzer, excellent for DNS brute force
ffuf -u http://FUZZ.target.com -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt   -mc 200,301,302,401,403 -t 100 -o subdomains.json

# Use DNS mode for more accurate results
ffuf -u FUZZ.target.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt   -mode dns -t 50

# Amass — comprehensive subdomain enumeration
amass enum -d target.com -passive -o amass_passive.txt
amass enum -d target.com -active -o amass_active.txt -config amass_config.ini

# subfinder — fast passive enumeration
subfinder -d target.com -o subfinder.txt -all -recursive

# Combined workflow
subfinder -d target.com -silent |   httpx -silent -status-code -title -tech-detect -o live_subdomains.txt

Passive DNS Sources

# SecurityTrails API
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains"   -H "APIKEY: YOUR_API_KEY" | python3 -m json.tool

# Shodan subdomain search
shodan domain target.com

# VirusTotal passive DNS
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=APIKEY&domain=target.com" |   python3 -c "import json,sys; d=json.load(sys.stdin);   [print(s) for s in d.get('subdomains',[])]"

# DNSDB (Farsight) — passive DNS database
curl -s "https://api.dnsdb.info/lookup/rrset/name/*.target.com/A"   -H "X-API-Key: APIKEY" | jq -r '.rrname'

DNS Wildcard Detection

# Test for wildcard DNS (nonexistent subdomains that resolve)
dig randomstring12345.target.com A +short
# If this returns an IP, wildcards are configured

# Filter wildcards from brute force results
# dnsrecon handles this automatically
dnsrecon -d target.com -D /usr/share/wordlists/subdomains.txt -t brt

# Manual: compare brute-force IPs against wildcard IP
WILDCARD_IP=$(dig randomstring12345.target.com A +short)
# Filter out any results matching $WILDCARD_IP

DNS-Based SSRF

DNS can be used to detect SSRF vulnerabilities using Out-of-Band (OOB) techniques:

# Use Burp Collaborator, interactsh, or your own DNS server
# Set a parameter to: http://YOUR-COLLABORATOR-DOMAIN.com

# interactsh — self-hosted OOB platform
# Start server
interactsh-server -domain oob.yourdomain.com

# Use client-generated URLs in SSRF payloads
interactsh-client -v
# Provides: abc123.oob.yourdomain.com
# Any DNS lookup or HTTP request to this domain is logged

Cloud Resource Discovery via DNS

# Find S3 buckets via subdomain enumeration (often s3., files., assets.)
# Check CNAME records for cloud services
dig assets.target.com CNAME +short
# "target-assets.s3.amazonaws.com" = S3 bucket

# Azure Blob Storage discovery
dig files.target.com CNAME +short
# "storageaccount.blob.core.windows.net"

# Find abandoned/dangling CNAMEs (subdomain takeover candidates)
# Resolve all subdomains, check for NXDOMAIN on the CNAME target
for sub in $(cat subdomains.txt); do
  cname=$(dig $sub.target.com CNAME +short)
  if [ ! -z "$cname" ]; then
    host $cname | grep "NXDOMAIN" && echo "POTENTIAL TAKEOVER: $sub -> $cname"
  fi
done

DNS Enumeration and Subdomain Discovery: Passive and Active Techniques

DNS Record Types — What to Look For

Basic DNS Queries

Zone Transfer Exploitation (AXFR)

Certificate Transparency Logs

Active Subdomain Brute Forcing

Passive DNS Sources

DNS Wildcard Detection

DNS-Based SSRF

Cloud Resource Discovery via DNS

Related Articles

DNS Enumeration and Subdomain Discovery: Passive and Active Techniques

DNS Record Types — What to Look For

Basic DNS Queries

Zone Transfer Exploitation (AXFR)

Certificate Transparency Logs

Active Subdomain Brute Forcing

Passive DNS Sources

DNS Wildcard Detection

DNS-Based SSRF

Cloud Resource Discovery via DNS

Related Articles