Hackipedia
  • 👋Welcome!
  • Reconnaissance
    • 🚀Passive Reconn
      • DNS Lookup
        • Host
        • Dnsrecon
        • Dnsenum
        • Nslookup
        • dig
      • Identifying Technologies
        • WhatWeb
        • BuiltWith
      • Whois
    • 💖Active Reconn
  • Exploitation
    • Page 1
  • Post-Exploitation
    • Page 2
  • Reporting
    • Page 3
Powered by GitBook
On this page
  • DNS Enumeration and Simple DNS Queries with nslookup
  • DNS Enumeration
  • Simple DNS Queries

Was this helpful?

  1. Reconnaissance
  2. Passive Reconn
  3. DNS Lookup

Nslookup

DNS Enumeration and Simple DNS Queries with nslookup

In this guide, we explore the utility of nslookup, a tool for querying the Domain Name System (DNS) to obtain domain name or IP address mappings. It details how to perform DNS enumeration, simple DNS queries, and other operations.

DNS Enumeration

To retrieve a list of name servers, you can follow these steps:

Step-by-step Guide

  1. Start the nslookup Interactive Shell

    >> nslookup

  2. Set the Default Server to Query

    >> server 10.50.96.5

  3. Set the Query Type to NS To retrieve only NS records, set the query type to NS as shown below:

    >> set q=NS

  4. Type the Domain Name Enter the domain name that you wish to query:

    >> foocampus.com

Explanation

  • Step 1: Initiates the interactive shell of nslookup.

  • Step 2: Designates the default server to query.

  • Step 3: Adjusts the query type to NS, which is utilized to obtain only NS records.

  • Step 4: Input the domain name to be queried.

Output

The outcome of these steps is as follows:

foocampus.com nameserver = ns.foocampus.com.
foocampus.com nameserver = ns1.foocampus.com.

To discover the IP address of each domain, execute the following commands (press CTRL + C to restart):

>> nslookup
>> server 10.50.96.5
>> ns.foocampus.com

To probe for MX records, adjust the query type to MX as illustrated below:

>> nslookup
>> server 10.50.96.5
>> set q=MX
>> foocampus.com

Simple DNS Queries

1. Simple DNS Query

nslookup domain.com

2. Reverse DNS Lookup

nslookup -type=PTR IPaddress

3. MX (Mail Exchange) Lookup

nslookup -type=MX domain.com
# or
nslookup -query=MX domain.com

4. Zone Transfers

Zone transfers, often a result of remote DNS server misconfigurations, can be checked as follows:

nslookup -type=NS domain.com
# or
nslookup -query=NS domain.com
# or
nslookup -query=any domain.com

To initiate a zone transfer request, use the following commands:

nslookup
server [NAMESERVER FOR mydomain.com]
ls -d mydomain.com

If successful, a detailed information screen about the domain should appear.

PreviousDnsenumNextdig

Last updated 1 year ago

Was this helpful?

🚀