DNS enumeration is how you find out what domains and subdomains an organization owns, and what services are running on them. It’s a reconnaissance technique that helps attackers map out a target’s digital footprint, revealing potential entry points.
Let’s see it in action. Imagine we’re targeting example.com.
First, we’ll use dig to query for various record types.
dig example.com SOA
dig example.com NS
dig example.com MX
dig example.com TXT
dig example.com A
dig example.com AAAA
This gives us basic info: the primary name server for the zone (SOA), the authoritative name servers (NS), mail exchange servers (MX), and IP addresses (A and AAAA records). But that’s just the tip of the iceberg.
The real power comes from discovering subdomains. We can use tools like sublist3r or amass for this.
sublist3r -d example.com
This tool queries various search engines and public DNS servers to find subdomains. Here’s a snippet of what you might see:
[+] Found subdomain: mail.example.com
[+] Found subdomain: ftp.example.com
[+] Found subdomain: dev.example.com
[+] Found subdomain: staging.example.com
amass is even more comprehensive, using a wider array of sources and performing brute-force enumeration.
amass enum -d example.com
Output might look like this:
...
Found 2838 DNS names
...
example.com. 1800 IN A 93.184.216.34
mail.example.com. 3600 IN A 192.168.1.10
dev.example.com. 7200 IN A 10.0.0.5
www.example.com. 300 IN CNAME example.com.
...
Once we have a list of subdomains, we can pivot to enumerating their specific records. For each discovered subdomain, we’d run dig again.
For mail.example.com:
dig mail.example.com MX
dig mail.example.com A
dig mail.example.com SRV
This helps us understand what services are running. An MX record points to mail servers, an A record to IP addresses, and an SRV record can reveal specific service ports (like for VoIP or XMPP).
The problem this solves is information asymmetry. An organization might consider internal.example.com a private network resource, but if its DNS records are publicly queryable, an attacker can discover it. This leads to a broader attack surface.
Internally, DNS enumeration works by querying DNS servers for information. When you ask for a record type (like A or MX) for a specific domain or subdomain, the DNS server responds with the requested data if it has it. If it doesn’t, it might delegate the query to another server or return an NXDOMAIN response. More advanced techniques involve zone transfers (AXFR), which are designed to replicate entire DNS zone files between authoritative servers, but are often restricted for security reasons. Even if restricted, attempts to perform AXFR can reveal which servers are authoritative for a zone.
A common target for enumeration is the _dmarc TXT record. When present, _dmarc.example.com can reveal an organization’s email authentication policies, including which servers are authorized to send email on their behalf. This can expose mail server IPs that might not be obvious from MX records alone and provide clues about their email infrastructure.
The next concept you’ll run into is identifying vulnerable services running on the discovered IPs, often through port scanning and vulnerability analysis.