Subdomain Enumeration

Overview

Subdomain enumeration is a critical phase of web reconnaissance that focuses on discovering subdomains and DNS infrastructure. This process reveals the attack surface by identifying additional hosts, services, and potential entry points that might not be immediately visible.

Key Objectives:

• Discover hidden subdomains and services

• Map DNS infrastructure and name servers

• Identify cloud resources and third-party services

• Analyze DNS security configurations

• Enumerate zone transfers and DNS vulnerabilities

---

DNS Tools Overview

Tool	Key Features	Best Use Case
dig	Versatile DNS lookup tool supporting all record types with detailed output	Manual DNS queries, zone transfers, troubleshooting
dnsenum	Comprehensive DNS enumeration with zone transfers, brute-forcing, WHOIS	All-in-one automated DNS reconnaissance
fierce	DNS reconnaissance with recursive search and wildcard detection	User-friendly subdomain discovery
dnsrecon	Multi-technique DNS reconnaissance with custom output formats	Comprehensive enumeration with various methods
amass	Advanced subdomain discovery with 30+ data sources	Maximum subdomain coverage (passive + active)
assetfinder	Simple subdomain discovery using various techniques	Quick lightweight scans
subfinder	Passive subdomain enumeration from public sources	Stealth reconnaissance
puredns	High-performance DNS brute-forcer with wildcard filtering	Massive wordlist handling
theHarvester	OSINT tool gathering subdomains from search engines	Email addresses + subdomain discovery

---

Manual DNS Enumeration

The Domain Information Groper (dig)

The dig command is the most versatile DNS enumeration tool, essential for manual analysis:

Common dig Commands

# Basic record queries
dig domain.com A          # IPv4 addresses
dig domain.com AAAA       # IPv6 addresses  
dig domain.com MX         # Mail servers
dig domain.com NS         # Name servers
dig domain.com TXT        # Text records
dig domain.com SOA        # Start of authority

# Query specific DNS server
dig @1.1.1.1 domain.com A

# Trace full DNS resolution path
dig +trace domain.com

# Short output only
dig +short domain.com

# Reverse DNS lookup
dig -x 192.168.1.1

Zone Transfer Attempts

# Discover name servers
dig domain.com NS

# Attempt zone transfers
dig @ns1.domain.com domain.com AXFR
dig @ns2.domain.com domain.com AXFR

# Test all name servers
for ns in $(dig +short domain.com NS); do
  echo "Testing $ns for zone transfer"
  dig @$ns domain.com AXFR
done

Advanced dig Techniques

# DNS server version detection
dig @dns-server version.bind CH TXT

# Check DNSSEC implementation
dig +dnssec domain.com

# TCP queries (for large responses)
dig +tcp domain.com TXT

# No recursion (direct authoritative query)
dig +norecurse @ns1.domain.com domain.com

---

Automated DNS Enumeration

dnsenum - Comprehensive DNS Enumeration

dnsenum is a versatile Perl-based tool providing comprehensive DNS reconnaissance:

Key Features:

• DNS Record Enumeration (A, AAAA, NS, MX, TXT)

• Automatic zone transfer attempts

• Subdomain brute-forcing with wordlists

• Google scraping for additional subdomains

• Reverse lookups and WHOIS integration

# Basic enumeration with HTB Academy example
dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

# Complete enumeration with recursion
dnsenum --enum example.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r

# Custom DNS server
dnsenum --dnsserver 8.8.8.8 --enum example.com

# Without reverse lookups (faster)
dnsenum --noreverse example.com

# Advanced options
dnsenum --enum example.com \
    -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
    --dnsserver 1.1.1.1 \
    --timeout 10 \
    --threads 5 \
    -r

fierce - User-Friendly Subdomain Scanner

# Basic subdomain enumeration
fierce --domain example.com

# Custom wordlist
fierce --domain example.com --wordlist custom_subdomains.txt

# Specific DNS server
fierce --domain example.com --dns-servers 8.8.8.8

# Output to file
fierce --domain example.com > fierce_results.txt

dnsrecon - Advanced DNS Reconnaissance

# Standard enumeration
dnsrecon -d example.com

# Brute force with custom wordlist
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t brt

# Zone transfer attempts
dnsrecon -d example.com -t axfr

# Reverse lookup on IP range
dnsrecon -r 192.168.1.0/24

# Google enumeration
dnsrecon -d example.com -t goo

---

Advanced Subdomain Discovery

amass - Comprehensive Subdomain Discovery

amass is the most powerful subdomain discovery tool with extensive data sources:

Key Features:

• 30+ external data sources for passive enumeration

• Active DNS brute-forcing and permutation

• Integration with APIs and other tools

• Network mapping and visualization

• Continuous monitoring capabilities

# Basic subdomain enumeration
amass enum -d example.com

# Passive enumeration only (stealth)
amass enum -passive -d example.com

# Active enumeration with brute-forcing
amass enum -active -d example.com -brute

# Multiple domains
amass enum -d example.com,target.com,company.com

# Use all available data sources
amass enum -d example.com -src

# Output to file
amass enum -d example.com -o subdomains.txt

# JSON output for parsing
amass enum -d example.com -json subdomain_data.json

# Use specific resolvers
amass enum -d example.com -rf resolvers.txt

# Rate limiting
amass enum -d example.com -rps 10

# Advanced configuration
amass enum -d example.com -config /path/to/config.yaml

Configuration Example:

# ~/.config/amass/config.yaml
scope:
  domains:
    - example.com
  blacklist:
    - test.example.com
    - dev.example.com

brute_forcing:
  enabled: true
  recursive: true
  min_for_recursive: 1

data_sources:
  - name: CertSpotter
    apikey: your-api-key
  - name: Shodan
    apikey: your-api-key

puredns - High-Performance DNS Brute-Forcer

puredns excels at high-performance brute-forcing with smart filtering:

Key Features:

• Handles massive wordlists efficiently

• Wildcard detection and filtering

• Custom DNS resolver configuration

• Rate limiting to prevent server overload

• Trusted domain validation

# Basic brute-forcing
puredns bruteforce wordlist.txt example.com

# Use custom resolvers
puredns bruteforce wordlist.txt example.com --resolvers resolvers.txt

# Rate limiting (queries per second)
puredns bruteforce wordlist.txt example.com --rate-limit 1000

# Wildcard detection and filtering
puredns bruteforce wordlist.txt example.com --wildcard-tests 3

# Advanced filtering
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt example.com \
    --resolvers resolvers.txt \
    --rate-limit 500 \
    --wildcard-tests 5 \
    --write results.txt \
    --write-wildcards wildcards.txt \
    --progress

# Resolve existing subdomain list
puredns resolve subdomains.txt --resolvers resolvers.txt --write resolved.txt

---

Passive Subdomain Discovery

Certificate Transparency

# Basic crt.sh search
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value' | sort -u

# Filter for web-related subdomains
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value' | grep -E "(www|web|app|api|admin|portal|dashboard)"

subfinder - Passive Subdomain Discovery

# Basic subdomain discovery
subfinder -d example.com

# With specific sources
subfinder -d example.com -sources crtsh,hackertarget,virustotal

# Output to file
subfinder -d example.com -o subdomains.txt

# Resolve subdomains
subfinder -d example.com -resolve

assetfinder - Quick Subdomain Enumeration

# Fast subdomain discovery
assetfinder example.com

# Find only subdomains
assetfinder --subs-only example.com

theHarvester - OSINT DNS Gathering

# Search multiple sources
theHarvester -d example.com -l 500 -b all

# Specific sources
theHarvester -d example.com -l 200 -b google,bing,yahoo

# DNS brute force
theHarvester -d example.com -c

# Output formats
theHarvester -d example.com -l 100 -b google -f results.xml

---

Tool Selection Guide

When to Use What

Scenario	Recommended Tool	Reason
Quick manual DNS queries	dig	Most versatile, detailed output
Comprehensive automated scan	dnsenum	All-in-one: zone transfers, brute-force, WHOIS
Passive reconnaissance only	amass (passive)	30+ data sources, stealth
Maximum subdomain coverage	amass (active)	Passive + active brute-forcing
High-performance brute-forcing	puredns	Massive wordlists, wildcard filtering
User-friendly quick scan	fierce	Simple interface, wildcard detection
Multi-technique approach	dnsrecon	Various techniques, custom outputs
Quick lightweight scan	assetfinder	Fast, simple discovery

Performance Comparison

Tool	Speed	Accuracy	Stealth	Wordlist Size	Resource Usage
dig	Manual	High	High	Manual	Low
dnsenum	Medium	High	Medium	Medium	Medium
amass	Medium-Fast	Very High	High (passive)	Large	High
puredns	Very Fast	High	Medium	Very Large	Medium
fierce	Fast	High	Medium	Medium	Low
dnsrecon	Medium	High	Medium	Medium	Medium
assetfinder	Fast	Medium	High	N/A	Low
subfinder	Fast	High	High	N/A	Low

---

Recommended Workflow

Phase 1: Quick Discovery

# Fast initial enumeration
assetfinder example.com
subfinder -d example.com

# Certificate transparency
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value' | sort -u

Phase 2: Passive Enumeration

# Comprehensive passive discovery
amass enum -passive -d example.com

# OSINT gathering
theHarvester -d example.com -l 200 -b google,bing

Phase 3: Active Enumeration

# Comprehensive active enumeration
amass enum -active -d example.com -brute

# Automated comprehensive scan
dnsenum --enum example.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Phase 4: High-Performance Brute-Forcing

# Massive wordlist brute-forcing
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt example.com --rate-limit 1000

# Validation and cleanup
puredns resolve all_subdomains.txt --write validated_subdomains.txt

---

HTB Academy Lab Examples

Lab 1: DNS Analysis

# Basic DNS enumeration
dig inlanefreight.htb A
dig inlanefreight.htb MX  
dig inlanefreight.htb NS
dig inlanefreight.htb TXT

# Zone transfer attempts
for ns in $(dig +short inlanefreight.htb NS); do
  echo "Attempting zone transfer with $ns"
  dig @$ns inlanefreight.htb AXFR
done

# Automated enumeration
dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
dnsrecon -d inlanefreight.htb

# Advanced subdomain discovery
amass enum -passive -d inlanefreight.htb
amass enum -active -d inlanefreight.htb -brute

# High-performance brute-forcing
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb --rate-limit 1000

---

Security Considerations

Rate Limiting

# Avoid detection with delays
for sub in $(cat wordlist.txt); do
  dig $sub.example.com
  sleep 1
done

# Use multiple DNS servers
dns_servers=(8.8.8.8 1.1.1.1 9.9.9.9)
for server in "${dns_servers[@]}"; do
  dig @$server example.com
done

Stealth Techniques

# Passive enumeration only
amass enum -passive -d example.com
subfinder -d example.com

# Certificate transparency (no DNS queries)
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value'

---

Defensive Measures

DNS Server Hardening

# Restrict zone transfers
allow-transfer { trusted-servers; };

# Disable recursion for external queries
allow-recursion { internal-networks; };

# Hide DNS version
version "Not disclosed";

# Rate limiting
rate-limit {
    responses-per-second 5;
    window 5;
};

Monitoring and Detection

# Monitor DNS queries
tail -f /var/log/named/queries.log

# Detect enumeration attempts
grep -E "(axfr|version.bind)" /var/log/named/queries.log

---

Key Takeaways

1. dig is essential for manual DNS analysis and troubleshooting

2. dnsenum provides comprehensive automated enumeration

3. amass offers maximum subdomain coverage with 30+ sources

4. puredns excels at high-performance brute-forcing

5. Passive enumeration (amass passive, subfinder) avoids detection

6. Rate limiting is crucial to prevent blocking

7. Zone transfers should be tested on all name servers

8. Certificate transparency provides valuable subdomain data

9. Tool combination yields better results than single tools

10. DNS security can be assessed through enumeration attempts

---

References

• HTB Academy: Information Gathering - Web Edition

• RFC 1034, 1035: Domain Names - Concepts and Facilities

• OWASP Testing Guide: Information Gathering

• SecLists: https://github.com/danielmiessler/SecLists

• Amass Documentation: https://github.com/OWASP/Amass