Discovering hostnames by brute-forcing DNS records
DNS records hold a surprising amount of information, and by brute-forcing or guessing them, we can reveal additional targets. DNS entry names often give away information; for example, a DNS record type A named mail
indicates that we are dealing with a mail server, or a few years ago Cloudflare's default DNS entry named direct
would usually point to the IP address that they were trying to protect.
This recipe shows how to discover DNS records using word lists with Nmap.
How to do it...
- To discover new DNS entries, run the following Nmap command:
$nmap -sn --script dns-brute <target>
- DNS entries will be listed for each of the targets:
Host script results: | dns-brute: | DNS Brute-force hostnames: | ipv6.websec.mx - 104.28.4.21 | ipv6.websec.mx - 104.28.5.21 | ipv6.websec.mx - 172.67.129.81 | ...