Exam objective: 2.1 Information gathering — DNS lookups, reverse DNS; 2.2 Enumeration — DNS enumeration.
In this lab you will use whois, dig, dnsenum and dnsrecon to map a target's DNS footprint. Target: zonetransfer.me — a deliberately misconfigured domain run by DigiNinja that allows zone transfer, making it perfect for practice.
whois example.com | head -40You'll see registrar, registration date, name servers, abuse contacts. Pentest value:
- Name servers reveal hosting provider.
- Registrant org sometimes leaks corporate identity.
- Registration age hints at typosquat domains.
dig zonetransfer.me A
dig zonetransfer.me MX
dig zonetransfer.me NS +short
dig zonetransfer.me TXTLook for:
- A / AAAA — hosting IP.
- MX — mail servers (target for phishing infra).
- TXT — SPF, DKIM, often leaks 3rd-party services (Salesforce, MailChimp, etc.).
- NS — DNS providers.
dig -x 8.8.8.8 +shortUse this to confirm ownership of IP ranges from Step 2.
dig axfr @nsztm1.digi.ninja zonetransfer.meOn a well-configured server this returns Transfer failed. On zonetransfer.me you get the entire zone — every host, every record. That's a critical misconfig you'd report immediately.
dnsenum zonetransfer.mednsenum chains: AXFR attempt → brute-force subdomain dictionary → reverse lookup of returned IPs → NetCraft search. Save output:
dnsenum --output zonetransfer.xml zonetransfer.mednsrecon -d zonetransfer.me -t std # SOA, NS, A, MX, SRV
dnsrecon -d zonetransfer.me -t axfr # AXFR test
dnsrecon -d zonetransfer.me -t brt -D /usr/share/wordlists/dnsmap.txt # brute forcedig zonetransfer.me +dnssec +short
dig DNSKEY zonetransfer.me +shortIf the zone uses NSEC (not NSEC3), you can walk the entire zone with ldns-walk:
ldns-walk zonetransfer.meReport finding: "Zone exposes all records via NSEC walking — switch to NSEC3 with salt and opt-out."
- How
whois,dig,dnsenumanddnsreconcomplement each other. - How to test for AXFR and NSEC walking.
- Which DNS findings are reportable (open AXFR, NSEC, missing SPF/DMARC).