DNS records hold a surprising amount of host information. By brute forcing them we can reveal additional targets. Also, DNS entries often give away information, for example "mail" indicating that we are obviously dealing with the mail server, or Cloudflare's default DNS entry "direct" which most of the time will point to the IP that they are trying to protect.
This recipe shows how to brute force DNS records with Nmap.
Open your terminal and type:
#nmap --script dns-brute <target>
The results should include a list of DNS records found if successful:
# nmap --script dns-brute host.com Nmap scan report for host.com (XXX.XXX.XXX.XXX) Host is up (0.092s latency). Other addresses for host.com (not scanned): YYY.YY.YYY.YY ZZ.ZZZ.ZZZ.ZZ Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Host script results: | dns-brute: | DNS Brute-force hostnames | www.host.com – AAA.AA.AAA.AAA | www.host.com – BB...