DNS Toolbox: How to Perform a Full DNS Enumeration and Domain Research

reconnaissance tools tips

SecurityTrails Blog · Mar 21 · SecurityTrails team

Reading time: 9 minutes

As we’ve said before, DNS is still the heart and soul of the Internet. It’s the core service that makes everything work—without it the net wouldn’t be as widespread as it is today.

While DNS systems have known security flaws, they can still be used in many ways to extract valuable information from domain names and DNS zones.

That’s why today we’ll explore how to use our SecurityTrails DNS toolbox, so you can learn how to use this intelligent database to empower your own security research tasks.

The classic way to perform a DNS lookup and DNS enumeration

“It all starts with a domain name” is the marketing phrase we often hear from web hosting providers. But we’re not trying to sell you a web hosting plan; we’re just trying to show you the importance of domain names in infosec research.

dig is one of the most classic commands available for performing any DNS lookup against your target.

The syntax is pretty easy to understand:

dig targetsite.com

Expected output:

[research@securitytrails.com ~]$ dig infosecinstitute.com
; <<>> DiG 9.11.5-P4-RedHat-9.11.5-4.P4.fc29 <<>> infosecinstitute.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43414
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;infosecinstitute.com. IN A
;; ANSWER SECTION:
infosecinstitute.com. 3600 IN A 104.199.119.187
;; AUTHORITY SECTION:
infosecinstitute.com. 86400 IN NS ns1.pairnic.com.
infosecinstitute.com. 86400 IN NS ns2.pairnic.com.
;; ADDITIONAL SECTION:
ns1.pairnic.com. 76163 IN A 216.92.3.91
ns1.pairnic.com. 76163 IN AAAA 2607:f440::d85c:35b
ns2.pairnic.com. 76163 IN A 66.39.3.60
ns2.pairnic.com. 76163 IN AAAA 2607:f440::4227:33c
;; Query time: 327 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: mar mar 05 13:45:10 -03 2019
;; MSG SIZE rcvd: 197

You can also query specific name servers using the @ option, for example.

dig infosecinstitute.com @1.1.1.1

Expected output:

[research@securirytrails.com ~]$
;; ANSWER SECTION:
infosecinstitute.com. 2970 IN A 104.199.119.187
;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: mar mar 05 13:50:40 -03 2019
;; MSG SIZE rcvd: 65

You’ll notice the answer server is the one we specified before, in this case Cloudflare.

By using dig command, you can not only perform simple DNS lookups, you can also have some fun by adding AXFR queries to test if the remote DNS server allows DNS zone transfers.

There is a visual alternative written by Google (G-suite DNS toolkit) that allows you to perform simple DNS lookups from a GUI interface. It’s available at https://toolbox.googleapps.com/apps/dig/, however, you’re not able to run AXFR queries from there.

G-Suite DNS Toolkit

Other ways to perform DNS lookup, DNS enumeration or DNS records exploration is by using the dnsenum tool along with crunch utility (to generate wordlists), or dnsrecon, as you see below:

[research@securitytrails.com]# python dnsrecon.py -d securitytrails.com
[*] Performing General Enumeration of Domain: securitytrails.com
[-] DNSSEC is not configured for securitytrails.com
[-] Error while resolving SOA record.
[*] NS ns08.domaincontrol.com 173.201.71.4
[*] NS ns07.domaincontrol.com 97.74.103.4
[*] NS ns07.domaincontrol.com 2603:5:2170::4
[*] MX aspmx.l.google.com 64.233.186.26
[*] MX aspmx2.googlemail.com 74.125.140.26
[*] MX alt2.aspmx.l.google.com 74.125.128.26
[*] MX alt1.aspmx.l.google.com 74.125.140.27
[*] MX aspmx3.googlemail.com 74.125.128.26
[*] MX aspmx.l.google.com 2800:3f0:4003:c00::1a
[*] MX aspmx2.googlemail.com 2a00:1450:400c:c08::1b
[*] MX alt2.aspmx.l.google.com 2a00:1450:4013:c02::1b
[*] MX alt1.aspmx.l.google.com 2a00:1450:400c:c08::1b
[*] MX aspmx3.googlemail.com 2a00:1450:4013:c02::1b
[*] A securitytrails.com 151.139.243.5
[*] TXT securitytrails.com google-site-verification=f1kZRxabnosuHEkqGjmlXNcfsr8VxRHBZ_d-m_hHp_Q
[*] TXT securitytrails.com v=spf1 include:mail.zendesk.com include:_spf.google.com ~all
[*] Enumerating SRV Records
[-] No SRV Records Found for securitytrails.com
[+] 0 Records Found

Other ways to do the same would be by using Nmap’s powerful NME capabilities. For example, this becomes an easy task with broadcast-dns-service-discovery or dns brute:

nmap -T5 -p 53 --script dns-brute securitytrails.com

Expected output:

[research@securitytrails.com ~]# nmap -T5 -p 53 --script dns-brute securitytrails.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-05 14:30 -03
Nmap scan report for securitytrails.com (151.139.243.5)
Host is up (0.054s latency).
PORT STATE SERVICE
53/tcp filtered domain
Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| app.securitytrails.com - 3.208.131.122
| app.securitytrails.com - 34.199.135.195
| app.securitytrails.com - 34.230.171.72
| www.securitytrails.com - 151.139.243.5
| blog.securitytrails.com - 151.139.243.5
| ftp.securitytrails.com - 151.139.243.5
| dev.securitytrails.com - 151.139.241.24
|_ stage.securitytrails.com - 151.139.243.20
Nmap done: 1 IP address (1 host up) scanned in 24.30 seconds

The previous command can help you enumerate DNS hosts by applying a brute force technique to discover existing subdomain names. In this specific test it only took 24 seconds. However, as with many other brute-force techniques, it can sometimes be time consuming, especially while using tools that attempt to explore huge wordlists.

From SecurityTrails, the one DNS toolbox for analyzing all your domains and DNS records

Dig, and other DNS lookup and mapping tools are great, but let’s be honest, they’re pretty slow when you need to perform a lot of domain lookups, or DNS enumerations.

You can lose even more time if you need to correlate data from WHOIS information, domains, IP addresses, etc. It’s a job that can literally take days.

That’s why we built the best DNS toolbox there is for security researchers and IT professionals. Our DNS toolkit allows you to query domains with lightning speed, and you can browse any company in the world, explore their DNS records, IP addresses, and domain names in a way that makes data correlation easier than ever.

We also offer historical DNS records, something none of the previously mentioned DNS and domain terminal-based tools include at the moment.

Let’s analyze the features of our main DNS toolbox one-by-one.

Domain Check

In order to start your domain check, just go to: securitytrails.com

Enter any given domain name, and hit Search.

You’ll get a summary of some of the most important information about that domain name, such as:

  • DNS records
  • Historical data
  • Subdomains

DNS Toolbox Domain Check

As shown in the image above, you’ll get a full DNS lookup for all the available DNS records in our database, such as A, AAAA, MX, NS and TXT.

Historical Data

Here at SecurityTrails we hold over 3.4 trillion historical DNS records ready to be fetched at your command.

This is useful not only for investigating security changes when something happens with any domain name, but also for recovering lost DNS records when the DNS changes are already propagated and there are no DNS zone backups.

Right now we support historical records for A, AAAA, MX, NS, SOA and TXT.

Historical records

Subdomain Mapping

Forget about using manual tools: our intelligent platform will let you fetch all existing subdomain names within any domain on the Internet.

You can order and filter by Name, Alexa Rank, Hosting Provider or Email Provider, as you see below:

Filter by hosting

Mapping thousand of subdomains can take hours with a normal internet connection speed, and there’s always a chance you’ll be blocked by firewall rate-limit configurations, too.

With our DNS toolkit, you can get all this intel within seconds.

IP Analysis

We’re not only your go-to resource for dealing with DNS and domain names, we’ve also become the #1 resource for IP block information and correlation across networks.

By running your SecurityTrails IP check you’ll be able to explore any IP address related to your domain names.

For example, let’s take a look at one of the main Cloudflare IP addresses: 104.16.41.71. By using our IP explorer feature you can identify all associated domains for any IP address, and filter them by any keyword.

IP Explorer

You will also be able to find IP neighbors for the same IP range, as shown below:

IP Neighbors

Our enterprising product SurfaceBrowser™ allows you to fetch even more details about any domain name, such as reverse DNS, open ports, associated domains, SSL certificates, and WHOIS history.

Reverse DNS and Open Ports

Getting reverse DNS records manually would take a lot of time interacting with the host command, and mapping all the open ports of any IP address would take even longer, especially if you have a slow network and firewalls filtering most of the connections.

Our solution provides an easy way to fetch reverse DNS records for all given IP addresses, as well as a quick method for detecting all open ports from any remote host, as shown here:

Open ports from remote host

This has proven to be a great way to perform cybersecurity research, as we covered in our blog post: How to use reverse DNS records to identify mass scanners.

Associated Domains

While researching security issues and incidents, we’ve found this feature extremely valuable for correlating data across many different domain names.

It’s easy to detect who owns a domain using the Associated Domains option, which will also reveal any other domains owned by the same person or company.

Quickly and easily, you’ll have access to a full summary sortable by domain registrar, organization, creation and expiration year.

Full sortable summary

SSL Certificates

As we explored in the blog post Analyzing SSL certificates with SurfaceBrowser, SSL certificates now play a crucial role in the cybersecurity industry.

This feature allows you to fetch all SSL-related information in a summary by company, creation year, expiration year (which is useful for exploring unencrypted areas still online) or SSL validity.

SSL info

WHOIS Historical Records

WHOIS History is one of the best ways to investigate cybercrime, used by researchers and infosec professionals alike. It’s a useful tool when you need to check out any WHOIS information changes over the years.

This can help government agencies and private and public companies identify phishing domains and avoid buying stolen domain names, as well as create effective brand protection mechanisms for copyright and trademark protection companies.

An effective timeline will guide you through all the current WHOIS historical records, as you can see here:

WHOIS historical records

If you already have an IT or Infosec app, you can integrate most of these functions by using our API access, where you can use the following endpoints:

  • Domain
  • List subdomains
  • List tags
  • Find associated domains
  • WHOIS
  • DNS history by record type
  • WHOIS history by domain
  • Explore IPs
  • Search IPs (DSL)
  • IP search statistics
  • Ping
  • Usage
  • Scroll

You can read more about our API Reference and explore our full API documentation.

Conclusion

Performing DNS lookups with our tool is extremely easy. You’ll never have to wait for live results because we fetch all results from our historical database that is updated daily.

DNS mapping and enumeration are your first order of business when you researching any given domain name. If it’s something you only need to do it from time to time and with only a few domains, you can work with old-fashioned terminal-based commands to get it done. However, if you’re looking for a serious alternative for massive DNS daily tasks, then it’s easier than ever by using our free SecurityTrails DNS toolbox, or by interacting with our intelligent API.


Grab your free API account today to start digging into any domain name DNS records, historical WHOIS and much more. Or schedule a SurfaceBrwoser demo with us to see how our enterprise-grade product can help you get a deeper data-set of domains, IPs, DNS zones, open ports and SSL certificate information.