DNS Enumeration with DiG

Question

I was trying to enumerate sub-domains with dig, but I can't find the subdomain names. The main domain name is unreachable, but is definitely in DNS records.

If I run dig against the main domain example.com:

$ dig example.com

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54795
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.       IN  A

;; AUTHORITY SECTION:
example.com.    300 IN  SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 2 msec
;; SERVER: 10.84.0.2#53(10.84.0.2)
;; WHEN: Sat Jan 02 22:03:37 UTC 2021
;; MSG SIZE  rcvd: 136

I also tried to zone transfer against 10.84.0.2:

$ dig example.com @10.84.0.2 axfr

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> example.com @10.84.0.2 axfr
;; global options: +cmd
; Transfer failed.

Is there any way to enumerate the subdomains? Zone transfer seems not to be working, so is there any other way to do it?

score 0 · Answer 1 · answered Jan 04 '21 at 16:27

I was trying to enumerate sub-domains with dig

You can stop right here as you can't do that, without knowing the names in advance.

I also tried to zone transfer against 10.84.0.2:

Zone transfers are almost always refused either for technical reasons (no one expects the zone owner really needs it, and they imply big network trafic) or privacy ones (some consider the DNS data to be in part private and hence only given on a need to know basis, not in bulk).

If I run dig against the main domain example.com:
$ dig example.com

No, you did not. Using dig like that means you query in fact for an A record. Any given name, including apex, is not guaranteed to have an A record. The reply you got is called "NODATA" which means "NOERROR" (the name is ok and exists) but no answer either (no ANSWER section) because this name has no A records (that you asked for), but has other record types (as it is the apex it has NS and SOA records at least).

So your conclusion of "The main domain name is unreachable," is wrong, based on this dig query.

Is there any way to enumerate the subdomains?

There are multiple heuristics but no guaranteed solution. Since you do not explain what you need to do that and since at this stage it is not really a programming question, any further venture into that part is offtopic here.

DNS Enumeration with DiG

1 Answers1