Port 22 (DNS)

Each domain can use different types of DNS records. Some of the most common types of DNS records include:

  • NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.

  • A: Also known as a host record, the "a record" contains the IPv4 address of a hostname (such as www.test.com).

  • AAAA: Also known as a quad A host record, the "aaaa record" contains the IPv6 address of a hostname (such as www.test.com).

  • MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.

  • PTR: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address.

  • CNAME: Canonical Name Records are used to create aliases for other host records.

  • TXT: Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification.

Using host to find the A host record for www.test.com

host www.test.com

By default, the host command searches for an A record, but we can also query other fields, such as MX or TXT records

host -t mx www.test.com

dnsrecon

DNSRecon is an advanced DNS enumeration script written in Python. Let's run dnsrecon against test.com, using the -d option to specify a domain name and -t to specify the type of enumeration to perform (in this case, a standard scan).

dnsrecon -d test.com -t std

Let's try to brute force additional hostnames using the list.txt file we created. To perform our brute force attempt, we will use the -d option to specify a domain name, -D to specify a file name containing potential subdomain strings, and -t to specify the type of enumeration to perform, in this case brt for brute force.

dnsrecon -d test.com -D ~/list.txt -t brt

dnsenum

DNSEnum is another popular DNS enumeration tool that can be used to further automate DNS enumeration of the test.com domain.

dnsenum test.com

Windows

Once connected to the Windows 11 client, we can open a command prompt window and run a simple query to resolve the A record for the test.com host.

nslookup test.com
PreviousPort 21 (FTP)NextPort 25 (SMTP)

Last updated