# DNS ## **Introduction** > DNS Typically runs on port 53 UDP but it can also run on TCP\ > DNS translates domain names to IP addresses\ > Useful resources: > > * > * ## **DNS Records** | DNS Record | Description | | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | A | Returns an IPv4 address of the requested domain as a result. | | AAAA | Returns an IPv6 address of the requested domain. | | MX | Returns the responsible mail servers as a result. | | NS | Returns the DNS servers (nameservers) of the domain. | | TXT | This record can contain various information. For example, it can be used to validate the Google Search Console or validate SSL certificates. | | CNAME | This record serves as an alias. If the domain [www.hackthebox.eu](http://www.hackthebox.eu) should point to the same IP, and we create an A record for one and a CNAME record for the other. | | PTR | The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names. | | SOA | Provides information about the corresponding DNS zone and email address of the administrative contact. | ## **Basic Interaction** | Command | Description | | ------------------------------- | -------------------------------------------------------- | | dig ns \ @dns-ip | NS request to the specific nameserver. | | dig any \ @dns-ip | ANY request to the specific nameserver. | | dig axfr \ @dns-ip | AXFR (ZONE TRANSFER) request to the specific nameserver. | | fierce --domain zonetransfer.me | Use fierce to scan for Zone Transfers | ## **Sub-Domain Enumeration:** There are different tools to perform subdomain enumeration: 1. `./subfinder -d test.com -v` 2. `sublist3r.py -d test.com` 3. `./subbrute test.com -s ./names.txt -r ./resolvers.txt` **Subdomain Fuzzing:** 1. `ffuf -w wordlist.txt:FUZZ -u https://FUZZ.server.com/` 2. `gobuster dns -d example.com -w wordlists.txt` **VHost Fuzzing** 1. `ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs ` 2. `gobuster vhost --url test.example --wordlist /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain` **Subdomain Bruteforcing:** ``` Option (1): dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list Option (2): for sub in $(cat path/to/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 \| grep -v ';\|SOA' \| sed -r '/^\s*$/d' \| grep $sub \| tee -a subdomains.txt;done ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/protocols-and-services/dns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.