DNS Enumeration Cheat Sheet

Copy-ready dig, host, nslookup, and dnsrecon commands for querying DNS records, attempting zone transfers, brute-forcing subdomains, and reverse-resolving netblocks during authorized testing. (45 payloads)

Try it interactively with the DNS Record Lookup

Record Queries with dig

(8)

dig example.com A +short

Resolve the A (IPv4) record(s) and print only the answer with no headers or stats.+short is the fastest way to grab just the IP

dig example.com AAAA +short

Resolve the AAAA (IPv6) record — many orgs forget IPv6 hosts have weaker filtering.always check v6; firewall rules often differ

dig example.com MX +short

List mail exchanger records to map the mail infrastructure and provider.reveals Google/O365/Proofpoint and on-prem MTAs

dig example.com NS +short

List authoritative name servers — your targets for zone-transfer and version probing.enumerate NS before attempting AXFR

dig example.com TXT +short

Dump TXT records: SPF, DMARC, domain-verification tokens, and infra hints leak here.SaaS verification strings fingerprint the stack

dig example.com SOA +multiline

Show the Start of Authority record with serial, refresh, retry, expire, and minimum TTL formatted readably.serial tells you when the zone last changed

dig example.com CAA +short

Read Certificate Authority Authorization records to see which CAs may issue certs for the domain.absence of CAA = any CA can issue

dig example.com ANY @8.8.8.8

Request every record type in one query against a specific resolver (here Google DoH/UDP).RFC 8482: many resolvers now refuse/HINFO ANY

host & nslookup Quick Lookups

(7)

host -a example.com

host's verbose mode requesting all record types with full verbosity in one shot.concise alternative to dig for a fast overview

host -t mx example.com 1.1.1.1

Query a specific record type (MX) against a chosen resolver (Cloudflare) with host.trailing arg overrides /etc/resolv.conf

host 93.184.216.34

Reverse-resolve an IP to its PTR (hostname) — host auto-detects address vs name input.quick PTR check without crafting in-addr.arpa

nslookup -type=any example.com

Classic nslookup query for all record types; available everywhere including Windows.use when dig/host aren't installed on the box

nslookup -type=mx example.com 8.8.8.8

Query MX records against a specific server with nslookup's non-interactive syntax.Windows pivot recon often relies on nslookup

nslookup -debug example.com

Show full query/response detail including TTLs and authority section for troubleshooting.debug surfaces CNAME chains and authority NS

host -l example.com ns1.example.com

host's built-in zone-transfer attempt: list (-l) the full zone from a named server.one-liner AXFR; lists every record if allowed

Zone Transfers (AXFR / IXFR)

(6)

dig AXFR example.com @ns1.example.com

Request a full zone transfer (AXFR) from an authoritative server — dumps every record if misconfigured.the classic misconfig; try every NS, not just ns1

for ns in $(dig +short NS example.com); do dig AXFR example.com @$ns; done

Loop AXFR against each authoritative name server, since often only one NS allows transfers.secondaries frequently lag the primary's ACLs

dig IXFR=2024010101 example.com @ns1.example.com

Request an incremental zone transfer from a given SOA serial — sometimes allowed when AXFR is denied.use a serial below the current SOA to force diff

dnsrecon -d example.com -t axfr

Automate zone-transfer testing across all discovered name servers with dnsrecon's axfr module.tries every NS and parses results for you

fierce --domain example.com

Run fierce, which enumerates name servers, attempts AXFR, then falls back to brute force on failure.good first-pass tool; AXFR then wordlist

dig AXFR internal.example.com @10.0.0.53

Attempt AXFR against an internal DNS server reached over a pivot/VPN to dump the internal zone.internal resolvers far more often allow AXFR

Subdomain Brute Force

(6)

dnsrecon -d example.com -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t brt

Brute-force subdomains with dnsrecon using a SecLists wordlist (-t brt) and report resolved hosts.-t brt = brute; --threads tunes concurrency

gobuster dns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -i

DNS-mode gobuster brute force resolving candidates against the domain; -i prints the resolved IPs.fast, single-binary; -r sets a custom resolver

dnsx -d example.com -w wordlist.txt -r resolvers.txt -a -resp -o resolved.txt

ProjectDiscovery dnsx brute force using a trusted resolver list, keeping only names with A records.supply a fresh public-resolvers list for accuracy

puredns bruteforce all.txt example.com -r resolvers.txt --resolvers-trusted trusted.txt

Massively parallel massdns-backed brute force with wildcard filtering and a trusted-resolver validation pass.best for huge wordlists; trusted pass kills wildcards

for sub in www mail dev api vpn staging admin git jenkins; do dig +short $sub.example.com; done

Quick shell loop to resolve a handful of high-value subdomain guesses without any extra tooling.zero-dependency check from any *nix shell

dig +short '*.example.com'

Probe for a wildcard DNS record so you can detect and filter false positives before brute forcing.if this resolves, all brute hits need validation

Reverse DNS & Netblock Sweeps

(6)

dig -x 93.184.216.34 +short

Reverse lookup: dig auto-builds the in-addr.arpa query and returns the PTR hostname.PTR names often leak naming conventions

dig +short PTR 34.216.184.93.in-addr.arpa

Manual reverse query showing the reversed-octet in-addr.arpa form dig constructs for you.useful when scripting reverse sweeps by hand

for ip in 93.184.216.{1..254}; do echo "$ip $(dig +short -x $ip)"; done | grep -v '^.* $'

Sweep an entire /24, printing each IP with its PTR and dropping addresses with no reverse record.maps live hosts and naming across a netblock

dnsrecon -r 93.184.216.0/24

dnsrecon reverse-lookup mode (-r) over a CIDR range, resolving every PTR in the block.accepts CIDR or start-end IP ranges

nmap -sL 93.184.216.0/24

nmap list scan performs reverse DNS on every address without sending packets to the hosts.-sL = no probes, pure rDNS; very stealthy

prips 93.184.216.0/24 | hakrevdns -t 50

Expand a CIDR to all IPs with prips and bulk reverse-resolve them concurrently with hakrevdns.fast bulk PTR resolution for large ranges

Mail, SPF, DMARC & DKIM

(6)

dig +short TXT example.com | grep -i spf

Extract the SPF record to map authorized sending IPs/includes and spot spoofing exposure.include: lines reveal mail vendors and infra

dig +short TXT _dmarc.example.com

Read the DMARC policy (p=none/quarantine/reject) to gauge email-spoofing defenses.p=none = spoofable; rua= shows report mailbox

dig +short TXT selector1._domainkey.example.com

Pull a DKIM public key for a given selector; common selectors are selector1/google/k1/default.guess selectors from headers of received mail

dig +short TXT default._bimi.example.com

Check for a BIMI record, which points to a brand logo and indicates mature email auth (DMARC enforced).BIMI presence implies p=quarantine/reject

dig +short SRV _autodiscover._tcp.example.com

Query Autodiscover SRV records that map Exchange/Office365 endpoints — useful for mail-server recon.also try _sip, _ldap, _kerberos for AD/VoIP

dig +short TXT _mta-sts.example.com && dig +short TXT _smtp._tls.example.com

Look up MTA-STS and TLS-RPT policies to assess SMTP transport-security posture.missing MTA-STS allows downgrade interception

DNSSEC, Caching & Zone Walking

(6)

dig example.com DNSKEY +short

Retrieve DNSSEC signing keys to confirm whether the zone is signed and which algorithms are in use.no DNSKEY = unsigned zone, spoofable cache

dig example.com +dnssec

Request DNSSEC records (RRSIG/NSEC) alongside the answer to validate signatures and see the chain.ad flag in the header = validated by resolver

dig nonexistent.example.com NSEC +short

Query for a bogus name to capture the NSEC record, which leaks the next existing name in the zone.NSEC chains enable full zone walking

nsec3walker example.com

Walk an NSEC3-signed zone by collecting and offline-cracking the hashed name records to recover subdomains.or use ldns-walk / nsec3map for NSEC3 hashes

dig example.com A @ns1.example.com +norecurse

Ask an authoritative server directly with recursion disabled to see exactly what it serves.distinguishes authoritative answers from cache

dig version.bind CHAOS TXT @ns1.example.com

Fingerprint the DNS server software/version via the BIND CHAOS-class version.bind query.also try hostname.bind / id.server CHAOS TXT

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Nmap Scanning Cheatsheet Google Dorking Cheat Sheet Subdomain Enumeration Cheat Sheet OSINT & Reconnaissance Cheat Sheet

Frequently asked questions

What is the DNS Enumeration Cheat Sheet?+

It's a quick-reference collection of 45 DNS Enum payloads for testing DNS Enumeration vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these DNS Enum payloads?+

Copy any payload straight into your authorized test, or use the DNS Record Lookup to apply them interactively. Only test systems you have explicit permission to assess.

Are these DNS Enum payloads free to use?+

Yes — this cheat sheet and all DNS Enum payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the DNS Enumeration Cheat Sheet?+

How do I use these DNS Enum payloads?+

Copy any payload straight into your authorized test, or use the DNS Record Lookup to apply them interactively. Only test systems you have explicit permission to assess.

Are these DNS Enum payloads free to use?+

Yes — this cheat sheet and all DNS Enum payloads are completely free, with no account required. Everything runs in your browser.

DNS Enumeration Cheat Sheet

Record Queries with dig

host & nslookup Quick Lookups

Zone Transfers (AXFR / IXFR)

Subdomain Brute Force

Reverse DNS & Netblock Sweeps

Mail, SPF, DMARC & DKIM

DNSSEC, Caching & Zone Walking

Related Tools

Related Cheat Sheets

Frequently asked questions

DNS Enumeration Cheat Sheet

Record Queries with dig

host & nslookup Quick Lookups

Zone Transfers (AXFR / IXFR)

Subdomain Brute Force

Reverse DNS & Netblock Sweeps

Mail, SPF, DMARC & DKIM

DNSSEC, Caching & Zone Walking

Related Tools

Related Cheat Sheets

Frequently asked questions