# **Basic Information** # **DNS Subdomain Enumeration** - Obtain the target DNS server IP by referencing the NS record for the target domain - Once a brute force of the root domain has been completed ensure another brute force is done on the newly discovered subdomains ```bash # add the DNS server to /etc/resolv.conf first gobuster dns -d <http://target.domain> -w </usr/share/SecLists/Discovery/DNS/namelist.txt> # perform subdomain brute force for sub in $(cat /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.<target_domain> @<target_dns_server> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done dnsenum --dnsserver <target_dns_server> --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt <target_domain> ``` # **References** # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |