Extracting Info from DNS Servers

Another way for pen testers to learn more about their targets is through DNS servers and records.  DNS servers store a lot of useful information about their related networks, and there are a handful of tools to use for extracting valuable information about a target.

What DNS does (or, why we care)

DNS is part of the TCP/IP protocol suite. It’s responsible for mapping user-friendly domain names (like “google.com”) to an IP address (like “”).

A domain name server is a server with a large database of these mappings. For pen testers, accessing DNS servers provides them with a blueprint of the company’s infrastructure, via a list of internal IP addresses and host names. As Engebretson notes in his book (The Basics of Hacking and Penetration Testing), DNS servers are often poorly configured or maintained, making them easy targets.

As always, only use this for legal purposes, with authorization, etc etc.

Zone transfers

One particularly useful source of DNS information is a zone transfer (AXFR).  Because networks typically have two or more DNS servers for redundancy or load balancing, they need to communicate with each other to share their host-to-IP mappings and stay in sync.


If we have collected host names (for a given target) in previous reconnaissance steps, we need to translate those into IP addresses for future steps.  To do so, we can use host.

Host is built into most Linux systems (including Kali).  I’m not sure what a Windows equivalent is, besides maybe nslookup.

To use host, type host followed by the DNS server you are trying to find an IP address for.  For example:

host ns1.bluehost.com

Which returns

ns1.bluehost.com has address


Nslookup is a tool that queries DNS server for its host records.  It’s available for Linux (including Kali) and Windows.  To use it, open up a command line and run:


It will then show a >, and wait for you to enter in server and the IP address of the DNS server that you want to learn about (if you only have the hostname, use host as shown in the previous section to get the IP address).


Then, you’ll have to specify the type of DNS record.  There are several different types:

A full list of DNS record types can be found here, on Wikipedia.

You can either ask for all DNS record types, or specify a certain type:

set type = any

or set type = a, set type = mx, and so on.  The additional servers that you find from nslookup can be added to the target list.

Email Servers

If we find an email server, this presents another opportunity to learn more about a target.  Email servers must allow outside traffic in to be useful as email servers.  In The Basics of Hacking and Penetration Testing, Engebretson says to send an email to the organization with an empty .bat or .exe file.  The goal is to get rejected, and then inspect the rejection email for anti-virus vendor and version information, IP address of the server, software versions being used on the server, etc.

Zone transfers


If you want to attempt a zone transfer (Engebretson notes that your chances of success are pretty low), you can use dig to do so:

dig @ip_address_here example.com -t AXFR


If the zone transfer doesn’t work out for you, fierce can be your backup option.  Fierce is a Perl-script that comes pre-installed on Kali.  To use:

cd /usr/bin/

./fierce -dns example.com

Fierce will lookup DNS servers for a given domain name, attempt a zone transfer, and then perform hundreds (or thousands) of automated DNS scans for you.

-delay      The number of seconds to wait between lookups.
-dns        The domain you would like scanned.
-dnsfile    Use DNS servers provided by a file (one per line) for
            reverse lookups (brute force).
-dnsserver  Use a particular DNS server for reverse lookups
            (probably should be the DNS server of the target).  Fierce
            uses your DNS server for the initial SOA query and then uses
            the target's DNS server for all additional queries by default.
-file       A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
            the webserver sends back, not just the HTTP headers.

A list of command line flags can be found here.

All together now!

Use whois to find the DNS servers for a given website.  Next, use host to translate the hostname into an IP address.  Use nslookup to get the full set of related DNS records (for mail exchangers, etc).  Use dig or fierce to attempt a zone transfer, and/or look for related DNS servers.