DNS (53) - Enumeration

1. Zone Transfer (AXFR)

El "Santo Grial". Si está mal configurado, te da todos los subdominios.

dig axfr @<IP> <DOMAIN>
# o
host -l <DOMAIN> <IP>

2. Reverse Lookup

Si tienes un rango de IPs, averigua sus hostnames.

# Brute force de rango /24
for ip in $(seq 1 254); do host 10.10.10.$ip <DNS_IP>; done | grep -v "not found"

3. Subdomain Brute Force

Si no hay zone transfer.

gobuster dns -d <DOMAIN> -r <DNS_IP> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt