DNS Enumeration Uncut: The Best Guide for Hackers

DNS Enumeration

DNS enumeration and DNS reconnaissance is a critical threat intelligence skill to learn. In literally every aspect of threat intel you will end up running into malicious domains. For me this most often occurs when working with threat intel from my honeynet. An example would be when I come across a domain being used as a “staging” server and want to start mapping out the infrastructure. This is where DNS enumeration comes into play as it can provide not only interesting records but also subdomains.

From a pen testing perspective subdomains are a great way to gain a “foothold” into a corporate network. Regardless of “how” I come across them, digging into a domains DNS records can provide you with valuable intelligence. This goes beyond just “Zone Transfers” and can also lead you down quite a few rabbit holes! Regardless, I’m going to be discussing the three major open source DNS tools that I use and a few quick examples of how I use them just to wet your appetite.


Fierce is a great tool for DNS enumeration which you can find in Kali Linux. In the example below I’m running Fierce against the cylance.com domain. Cylance.com is currently running an open bug bounty program that happened to catch my eye.

fierce -dns cylance.com -threads 5 -file /tmp/cylancedns.txt

The above command will run Fierce against “cylance.com” using five threads and then will save the output to /tmp/cylancedns.txt. Being able to control the number of threads can greatly increase the overall speed.


Fierce has quite a few options and can handle most DNS recon needs.


DNSMap is another tool I’ve continually used for various DNS enumeration needs. It’s been around for a long time and is typically my “goto” when it comes to brute forcing subdomains.

dnsmap cylance.com -w /tmp/subdomains.txt -r /tmp/cylance-dnsmap.txt


DNSRecon is probably one of the oldest DNS tools and my go to for DNS enumeration and reconnaissance. It’s been around since around 2006 and is still actively maintained by darkoperator. In the example below I’m using the “-a” parameter to see if the “cylance.com” nameservers allow DNS zone transfers. I’m also going to use a few other parameters that I generally throw into the mix.

dnsrecon -d cylance.com -a
dnsrecon -d cylance.com -D /usr/share/wordlist/subdomains.txt
dnsrecon -d cylance.com -t zonewalk

DNS Enumeration Conclusion

Those are the three primary DNS tools that I use on a consistent basis. IMO there really shouldn’t be a need to use anything outside these. All three are incredibly robust and have a large number of features.

I hope you have found this useful. This is something I’ve been wanting to figure out for some time now. Also make sure to keep coming back to my blog as I’m going to be putting out more threat intelligence posts here:


And as always, thank you for taking the time to read this. If you have any comments, questions, or critiques, please reach out to me on our FREE ML Security Discord Server – HERE

Related Posts