Port 53 - DNS

Enumeration

# Primary DNS check
host <domain name> 
host -t ns <domain name>
host -t mx <domain name> 

nslookup contoso.com

# Reverse DNS check
host <ip address> 

# DNS zone transfer file 
## host -l <domain name> <name server>
host -l googlecom ns1.google.com

## dig @<dns server> <domain> axfr
dig @10.10.10.123 friendzone.red axfr 

# Automated recons
dnsenum google.com 
dnsrecon -d contoso.com
dnsrecon -d active.htb -a -n <IP_DNS>  # Zone transfer

Scripts

# if argument was given, identify the DNS servers for the domain
for server in $(host ­-t ns $1 | cut ­-d" " ­-f4);do
# For each of these servers, attempt a zone transfer
host -l $1 $server | grep "has address"
done

Active Directory Server

dig -t _gc._tcp.lab.domain.com
dig -t _ldap._tcp.lab.domain.com
dig -t _kerberos._tcp.lab.domain.com
dig -t _kpasswd._tcp.lab.domain.com
nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"