nslookup

interactive mode to probe a target's DNS server directly. Discover Domain Name via Reverse Lookup.

Use this when you have an IP but no domain name. You must set the target IP as your server first.

# Start nslookup and set the target as the DNS server
nslookup
> server <target-ip>

# Perform the reverse lookup on the IP
> <target-ip>

# Output reveals the domain name

dig

Reverse Lookup (Simpler Syntax)

The -x flag performs a reverse lookup directly to know the domain name.

dig @<target-ip> -x <target-ip>

Zone Transfer (The Gold Mine)

The axfr query type is the primary goal of DNS enumeration. It dumps all DNS records, revealing hidden subdomains like admin.<target-domain>.htb.

dig axfr <target-domain>.htb @<target-ip>

ffuf

knowing the domain name, you can use ffuf to enumerate on all subdomains.

Add on /etc/hosts

After a successful zone transfer, add the discovered hostnames to your /etc/hosts file to begin exploring them (e.g., checking for web servers).

echo "<ip> <domain>.htb" | sudo tee -a /etc/hosts

Tags

dns

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-31