DNS Enumeration

Zone transfers, brute-forcing subdomains, and passive DNS recon.

Published: May 1, 2026
Read time: 1 min read
Topics: dnsnetworkreconenumeration

Zone Transfer

dig axfr @ns1.target.com target.com

If misconfigured, dumps all DNS records. Rarely works in the wild.

Subdomain Brute-force

gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Passive Recon

crt.sh — certificate transparency logs
dnsx — fast DNS resolver/prober
amass enum -passive -d target.com