HackFixLearn Logo
Skip to main content

DNS OSINT

Ehsan Ebadi profile picture by Ehsan Ebadi
December 10, 2025 8 min read

DNS enumeration is an active reconnaissance technique used to directly query a target’s infrastructure for intelligence.

The Domain Name System (DNS) functions as the internet’s translation layer, converting human-readable domain names (like google.com) into the numeric IP addresses that systems use to communicate. When you interact with DNS, you are actively asking the target—or its authoritative name servers—questions about its environment.

Because many DNS records are intentionally public, these queries often reveal valuable details about an organization’s network layout. This may include web and mail servers, subdomains, administrative hosts, third-party services, and in some cases even internal naming patterns that expose how the network is structured.

From a red team perspective, DNS is one of the fastest and lowest-noise active reconnaissance methods available. A small number of carefully crafted DNS requests can map a large portion of a target’s external attack surface, and sometimes uncover misconfigurations that leak internal information—all without triggering the alarms associated with aggressive scanning.

Most Useful DNS Record Types

In penetration testing, querying these records helps you map the target’s network and find attack surfaces fast.

Record Name What It Reveals
NS Nameserver The DNS servers responsible for controlling and managing the domain
A Address The IPv4 address linked to a hostname (e.g., www → 1.2.3.4)
AAAA Quad-A The IPv6 address linked to a hostname
MX Mail Exchange The mail servers that handle incoming email for the domain
PTR Pointer The hostname associated with a specific IP address (reverse DNS lookup)
CNAME Canonical Name Domain aliases (e.g., www → real-server.example.com)
TXT Text Free-form text data, often used for verification, security policies, or email authentication

The host Command

The host utility is a fast and lightweight tool for querying DNS records directly from the terminal. By default, it resolves domain names to their IP addresses by retrieving A records, making it ideal for rapid reconnaissance.

Basic Usage Examples

  • Resolve a domain to an IP address: Returns the IPv4 address if the record exists.
host www.example.com
  • Query a specific record type: Lists the domain’s mail servers along with their priority values (lower numbers indicate higher priority).
host -t MX example.com
  • Retrieve TXT records: Displays verification strings and custom metadata such as SPF or DKIM entries.
host -t TXT example.com

If a hostname does not exist, host returns an NXDOMAIN error, indicating that the name is not registered.

Automating Discovery with Bash

DNS reconnaissance becomes far more powerful when combined with simple automation and scripting.

  1. Create a wordlist: Prepare a file (for example, list.txt) containing common hostnames such as www, mail, router, and vpn.
  2. Brute-force subdomains: This loop tests each hostname against the target domain and returns valid DNS records, helping you quickly uncover hidden or forgotten subdomains.
for name in $(cat list.txt); do host $name.example.com; done

Reverse DNS Enumeration

To map IP addresses back to hostnames, use reverse lookups:

for ip in $(seq 200 254); do host 192.168.1.$ip; done | grep -v "not found"

This command scans a range of IP addresses and filters out non-existent results, revealing live hosts and active systems on the network.

Scaling with SecLists

For larger-scale enumeration, install SecLists:

sudo apt install seclists

SecLists provides extensive, community-maintained collections of common hostnames, paths, and patterns, stored in /usr/share/seclists. These wordlists are ideal for high-coverage DNS brute-forcing. By cycling through them in your scripts, you can uncover hidden services, legacy systems, and forgotten infrastructure nodes lurking in the network.

DNSRecon Tool

DNSRecon is a Python-based reconnaissance tool designed for advanced DNS enumeration. It is widely used during security assessments to uncover hidden domain details and map an organization’s DNS infrastructure.

Standard DNS Enumeration

To query the most common DNS record types, use the following command:

dnsrecon -d example.com -t std

This mode checks for DNSSEC and enumerates key DNS records, including:

  • NS – Authoritative name servers
  • MX – Mail servers
  • TXT – Verification and security-related entries

The output provides valuable insight into authoritative DNS servers, email handling infrastructure, and domain verification mechanisms.

Brute-Force Subdomain Discovery

DNSRecon can also automate subdomain discovery using a wordlist.

dnsrecon -d example.com -D /path/to/list.txt -t brt

This technique tests each prefix and reports valid subdomains along with their resolved IP addresses (for example, web.example.com192.0.2.10).

Why DNSRecon Matters

By combining record enumeration and automated guessing, DNSRecon streamlines the process of mapping a domain’s structure. It enables testers to quickly identify exposed services, forgotten hosts, and potential entry points during penetration tests.

dnsenum Tool

DNSenum is a fast, fully automated DNS enumeration tool that combines standard DNS record discovery, subdomain brute-forcing, and reverse DNS lookups into a single workflow. It’s built for speed and broad coverage—ideal when you want maximum results with minimal setup.

Basic Usage

Simply provide a target domain and let DNSenum handle the heavy lifting:

dnsenum example.com

What DNSenum Does Automatically

  • Enumerates standard DNS records such as NS, MX, TXT, and more
  • Brute-forces subdomains using its large built-in wordlist
    (/usr/share/dnsenum/dns.txt)
  • Performs reverse DNS lookups on discovered IP ranges
  • Correlates hostnames with their resolved IP addresses

Example Output Highlights

  • Uncovers hidden or non-obvious hosts such as admin, beta, intranet, vpn, siem
  • Identifies additional web servers (e.g., www2)
  • Reveals full IP ranges associated with the target domain

In real-world security assessments, a single DNSenum run can expose 10–50+ valid hosts that smaller wordlists or manual techniques often miss—making it a powerful tool for rapidly expanding a target’s attack surface.

nslookup — Windows DNS Lookup

nslookup is a native Windows DNS query tool built into every modern version of Windows—no installation required. This makes it ideal for Living off the Land (LotL) scenarios, especially when operating on a compromised Windows host where stealth and a low footprint matter.

Basic DNS Query

nslookup mail.target.com

Returns the IP address (A record) for the specified hostname using the system’s default DNS resolver.

Query a Specific DNS Server and Record Type

nslookup -type=TXT info.target.com 192.168.1.10

Sends a DNS request directly to the specified DNS server (192.168.1.10) and retrieves the TXT record for info.target.com.

Operator Tips

  • Change the record type using -type= (A, MX, TXT, NS, PTR, and more)
  • Easily automate enumeration using batch scripts or PowerShell loops
  • Functionally similar to Linux’s host command, but 100% native to Windows
  • Perfect for quiet DNS reconnaissance when tools like Kali Linux aren’t available

Module Progress: 1. Information Gathering

  1. 1 Nmap
  2. 1 Introduction
  3. 2 WHOIS & ASN Reconnaissance
  4. 3 Public footprinting
  5. 4 DNS OSINT (Currently Reading)
    Reading Now
  6. 5 Port & Service Discovery