Brute forcing DNS Records

Test Objectives

Perform name lookups with a wordlist (dictionary attack) to identify services/hosts/websites in the target domain. Only applicable if Check for DNS zone transfer failed.

Prerequisites:

Tools:

  fierce -dns <domain>

Fierce will first determine the authoritative name servers for the specified domain.
Then it will try to perform a zone transfer on all name servers.
If the zone transfer fails it will start brute forcing DNS records based on the entries in the fierce\hosts.txt file.

If you want to use your own wordlist use the – wordlist flag

 fierce -dns <domain> -wordlist <custom_wordlist>

Another script you could use is dnsrecon

 dnsrecon -d <domain> -D <custom_worlist>

or dnsenum and Dnsdict6

References: