DNS - 53

DIG

# NS query
dig ns nothing.htb @10.10.10.10

# ANY query
dig any nothing.htb @10.10.10.10

# AXFR Zone Transfer - Internal
dig axfr internal.nothing.htb @10.10.10.10 

# check zone exists, look for SOA entry
dig SOA @10.10.10.10 nothing.htb

# ZONE TRANSFER USING FIERCE
# LINK : <https://github.com/mschwager/fierce>
fierce --domain zonetransfer.me

Nslookup

# Querying: A Records
nslookup facebook.com

# Querying: A Records for a Subdomain
nslookup -query=A www.facebook.com

# Querying: PTR Records for an IP Address
nslookup -query=PTR 31.13.92.36

# Querying: ANY Existing Records
nslookup -query=ANY google.com

# Querying: TXT Records
nslookup -query=TXT facebook.com

# Querying: MX Records
nslookup -query=MX facebook.com

Brute Forcing Subdomains

# Subdomain Brute Forcing
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.nothing.htb @10.10.10.10 | grep -v ';\\|SOA' | sed -r '/^\\s*$/d' | grep $sub | tee -a subdomains.txt;done

# DNSenum
dnsenum --dnsserver 10.10.10.10 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt nothing.htb

# Subfinder 
# LINK : <https://github.com/projectdiscovery/subfinder>
./subfinder -d something.com -v

# Subbrute
git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
cd subbrute
echo "ns1.something.com" > ./resolvers.txt
./subbrute something.com -s ./names.txt -r ./resolvers.txt