Subdomain Enumeration

Overview

Subdomain enumeration is a critical phase of web reconnaissance that focuses on discovering subdomains and DNS infrastructure. This process reveals the attack surface by identifying additional hosts, services, and potential entry points that might not be immediately visible.

Key Objectives:

  • Discover hidden subdomains and services

  • Map DNS infrastructure and name servers

  • Identify cloud resources and third-party services

  • Analyze DNS security configurations

  • Enumerate zone transfers and DNS vulnerabilities

DNS Tools Overview

Tool
Key Features
Best Use Case

dig

Versatile DNS lookup tool supporting all record types with detailed output

Manual DNS queries, zone transfers, troubleshooting

dnsenum

Comprehensive DNS enumeration with zone transfers, brute-forcing, WHOIS

All-in-one automated DNS reconnaissance

fierce

DNS reconnaissance with recursive search and wildcard detection

User-friendly subdomain discovery

dnsrecon

Multi-technique DNS reconnaissance with custom output formats

Comprehensive enumeration with various methods

amass

Advanced subdomain discovery with 30+ data sources

Maximum subdomain coverage (passive + active)

assetfinder

Simple subdomain discovery using various techniques

Quick lightweight scans

subfinder

Passive subdomain enumeration from public sources

Stealth reconnaissance

puredns

High-performance DNS brute-forcer with wildcard filtering

Massive wordlist handling

theHarvester

OSINT tool gathering subdomains from search engines

Email addresses + subdomain discovery

Manual DNS Enumeration

The Domain Information Groper (dig)

The dig command is the most versatile DNS enumeration tool, essential for manual analysis:

Common dig Commands

# Basic record queries
dig domain.com A          # IPv4 addresses
dig domain.com AAAA       # IPv6 addresses  
dig domain.com MX         # Mail servers
dig domain.com NS         # Name servers
dig domain.com TXT        # Text records
dig domain.com SOA        # Start of authority

# Query specific DNS server
dig @1.1.1.1 domain.com A

# Trace full DNS resolution path
dig +trace domain.com

# Short output only
dig +short domain.com

# Reverse DNS lookup
dig -x 192.168.1.1

Zone Transfer Attempts

# Discover name servers
dig domain.com NS

# Attempt zone transfers
dig @ns1.domain.com domain.com AXFR
dig @ns2.domain.com domain.com AXFR

# Test all name servers
for ns in $(dig +short domain.com NS); do
  echo "Testing $ns for zone transfer"
  dig @$ns domain.com AXFR
done

Advanced dig Techniques

# DNS server version detection
dig @dns-server version.bind CH TXT

# Check DNSSEC implementation
dig +dnssec domain.com

# TCP queries (for large responses)
dig +tcp domain.com TXT

# No recursion (direct authoritative query)
dig +norecurse @ns1.domain.com domain.com

Automated DNS Enumeration

dnsenum - Comprehensive DNS Enumeration

dnsenum is a versatile Perl-based tool providing comprehensive DNS reconnaissance:

Key Features:

  • DNS Record Enumeration (A, AAAA, NS, MX, TXT)

  • Automatic zone transfer attempts

  • Subdomain brute-forcing with wordlists

  • Google scraping for additional subdomains

  • Reverse lookups and WHOIS integration

# Basic enumeration with HTB Academy example
dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

# Complete enumeration with recursion
dnsenum --enum example.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r

# Custom DNS server
dnsenum --dnsserver 8.8.8.8 --enum example.com

# Without reverse lookups (faster)
dnsenum --noreverse example.com

# Advanced options
dnsenum --enum example.com \
    -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
    --dnsserver 1.1.1.1 \
    --timeout 10 \
    --threads 5 \
    -r

fierce - User-Friendly Subdomain Scanner

# Basic subdomain enumeration
fierce --domain example.com

# Custom wordlist
fierce --domain example.com --wordlist custom_subdomains.txt

# Specific DNS server
fierce --domain example.com --dns-servers 8.8.8.8

# Output to file
fierce --domain example.com > fierce_results.txt

dnsrecon - Advanced DNS Reconnaissance

# Standard enumeration
dnsrecon -d example.com

# Brute force with custom wordlist
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t brt

# Zone transfer attempts
dnsrecon -d example.com -t axfr

# Reverse lookup on IP range
dnsrecon -r 192.168.1.0/24

# Google enumeration
dnsrecon -d example.com -t goo

Advanced Subdomain Discovery

amass - Comprehensive Subdomain Discovery

amass is the most powerful subdomain discovery tool with extensive data sources:

Key Features:

  • 30+ external data sources for passive enumeration

  • Active DNS brute-forcing and permutation

  • Integration with APIs and other tools

  • Network mapping and visualization

  • Continuous monitoring capabilities

# Basic subdomain enumeration
amass enum -d example.com

# Passive enumeration only (stealth)
amass enum -passive -d example.com

# Active enumeration with brute-forcing
amass enum -active -d example.com -brute

# Multiple domains
amass enum -d example.com,target.com,company.com

# Use all available data sources
amass enum -d example.com -src

# Output to file
amass enum -d example.com -o subdomains.txt

# JSON output for parsing
amass enum -d example.com -json subdomain_data.json

# Use specific resolvers
amass enum -d example.com -rf resolvers.txt

# Rate limiting
amass enum -d example.com -rps 10

# Advanced configuration
amass enum -d example.com -config /path/to/config.yaml

Configuration Example:

# ~/.config/amass/config.yaml
scope:
  domains:
    - example.com
  blacklist:
    - test.example.com
    - dev.example.com

brute_forcing:
  enabled: true
  recursive: true
  min_for_recursive: 1

data_sources:
  - name: CertSpotter
    apikey: your-api-key
  - name: Shodan
    apikey: your-api-key

puredns - High-Performance DNS Brute-Forcer

puredns excels at high-performance brute-forcing with smart filtering:

Key Features:

  • Handles massive wordlists efficiently

  • Wildcard detection and filtering

  • Custom DNS resolver configuration

  • Rate limiting to prevent server overload

  • Trusted domain validation

# Basic brute-forcing
puredns bruteforce wordlist.txt example.com

# Use custom resolvers
puredns bruteforce wordlist.txt example.com --resolvers resolvers.txt

# Rate limiting (queries per second)
puredns bruteforce wordlist.txt example.com --rate-limit 1000

# Wildcard detection and filtering
puredns bruteforce wordlist.txt example.com --wildcard-tests 3

# Advanced filtering
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt example.com \
    --resolvers resolvers.txt \
    --rate-limit 500 \
    --wildcard-tests 5 \
    --write results.txt \
    --write-wildcards wildcards.txt \
    --progress

# Resolve existing subdomain list
puredns resolve subdomains.txt --resolvers resolvers.txt --write resolved.txt

Passive Subdomain Discovery

Certificate Transparency

# Basic crt.sh search
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value' | sort -u

# Filter for web-related subdomains
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value' | grep -E "(www|web|app|api|admin|portal|dashboard)"

subfinder - Passive Subdomain Discovery

# Basic subdomain discovery
subfinder -d example.com

# With specific sources
subfinder -d example.com -sources crtsh,hackertarget,virustotal

# Output to file
subfinder -d example.com -o subdomains.txt

# Resolve subdomains
subfinder -d example.com -resolve

assetfinder - Quick Subdomain Enumeration

# Fast subdomain discovery
assetfinder example.com

# Find only subdomains
assetfinder --subs-only example.com

theHarvester - OSINT DNS Gathering

# Search multiple sources
theHarvester -d example.com -l 500 -b all

# Specific sources
theHarvester -d example.com -l 200 -b google,bing,yahoo

# DNS brute force
theHarvester -d example.com -c

# Output formats
theHarvester -d example.com -l 100 -b google -f results.xml

Tool Selection Guide

When to Use What

Scenario
Recommended Tool
Reason

Quick manual DNS queries

dig

Most versatile, detailed output

Comprehensive automated scan

dnsenum

All-in-one: zone transfers, brute-force, WHOIS

Passive reconnaissance only

amass (passive)

30+ data sources, stealth

Maximum subdomain coverage

amass (active)

Passive + active brute-forcing

High-performance brute-forcing

puredns

Massive wordlists, wildcard filtering

User-friendly quick scan

fierce

Simple interface, wildcard detection

Multi-technique approach

dnsrecon

Various techniques, custom outputs

Quick lightweight scan

assetfinder

Fast, simple discovery

Performance Comparison

Tool
Speed
Accuracy
Stealth
Wordlist Size
Resource Usage

dig

Manual

High

High

Manual

Low

dnsenum

Medium

High

Medium

Medium

Medium

amass

Medium-Fast

Very High

High (passive)

Large

High

puredns

Very Fast

High

Medium

Very Large

Medium

fierce

Fast

High

Medium

Medium

Low

dnsrecon

Medium

High

Medium

Medium

Medium

assetfinder

Fast

Medium

High

N/A

Low

subfinder

Fast

High

High

N/A

Low

Recommended Workflow

Phase 1: Quick Discovery

# Fast initial enumeration
assetfinder example.com
subfinder -d example.com

# Certificate transparency
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value' | sort -u

Phase 2: Passive Enumeration

# Comprehensive passive discovery
amass enum -passive -d example.com

# OSINT gathering
theHarvester -d example.com -l 200 -b google,bing

Phase 3: Active Enumeration

# Comprehensive active enumeration
amass enum -active -d example.com -brute

# Automated comprehensive scan
dnsenum --enum example.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Phase 4: High-Performance Brute-Forcing

# Massive wordlist brute-forcing
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt example.com --rate-limit 1000

# Validation and cleanup
puredns resolve all_subdomains.txt --write validated_subdomains.txt

HTB Academy Lab Examples

Lab 1: DNS Analysis

# Basic DNS enumeration
dig inlanefreight.htb A
dig inlanefreight.htb MX  
dig inlanefreight.htb NS
dig inlanefreight.htb TXT

# Zone transfer attempts
for ns in $(dig +short inlanefreight.htb NS); do
  echo "Attempting zone transfer with $ns"
  dig @$ns inlanefreight.htb AXFR
done

# Automated enumeration
dnsenum --enum inlanefreight.htb -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
dnsrecon -d inlanefreight.htb

# Advanced subdomain discovery
amass enum -passive -d inlanefreight.htb
amass enum -active -d inlanefreight.htb -brute

# High-performance brute-forcing
puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb --rate-limit 1000

Security Considerations

Rate Limiting

# Avoid detection with delays
for sub in $(cat wordlist.txt); do
  dig $sub.example.com
  sleep 1
done

# Use multiple DNS servers
dns_servers=(8.8.8.8 1.1.1.1 9.9.9.9)
for server in "${dns_servers[@]}"; do
  dig @$server example.com
done

Stealth Techniques

# Passive enumeration only
amass enum -passive -d example.com
subfinder -d example.com

# Certificate transparency (no DNS queries)
curl -s https://crt.sh/\?q\=example.com\&output\=json | jq -r '.[].name_value'

Defensive Measures

DNS Server Hardening

# Restrict zone transfers
allow-transfer { trusted-servers; };

# Disable recursion for external queries
allow-recursion { internal-networks; };

# Hide DNS version
version "Not disclosed";

# Rate limiting
rate-limit {
    responses-per-second 5;
    window 5;
};

Monitoring and Detection

# Monitor DNS queries
tail -f /var/log/named/queries.log

# Detect enumeration attempts
grep -E "(axfr|version.bind)" /var/log/named/queries.log

Key Takeaways

  1. dig is essential for manual DNS analysis and troubleshooting

  2. dnsenum provides comprehensive automated enumeration

  3. amass offers maximum subdomain coverage with 30+ sources

  4. puredns excels at high-performance brute-forcing

  5. Passive enumeration (amass passive, subfinder) avoids detection

  6. Rate limiting is crucial to prevent blocking

  7. Zone transfers should be tested on all name servers

  8. Certificate transparency provides valuable subdomain data

  9. Tool combination yields better results than single tools

  10. DNS security can be assessed through enumeration attempts

References

  • HTB Academy: Information Gathering - Web Edition

  • RFC 1034, 1035: Domain Names - Concepts and Facilities

  • OWASP Testing Guide: Information Gathering

  • SecLists: https://github.com/danielmiessler/SecLists

  • Amass Documentation: https://github.com/OWASP/Amass

PreviousWeb Information GatheringNextWeb Application Enumeration

Last updated