Domains & DNS

A cheatsheet for Domains & DNS targeting domain information retrieval, DNS record analysis, subdomain enumeration, and securing DNS zone transfers.

Author: BobBuilder

WHOIS

Basic WHOIS Query

whois <domain>

Retrieves domain registrar, creation/expiration, name servers, contacts.

DNS

DNS Record Types

A maps hostname to IPv4, AAAA maps hostname to IPv6, CNAME is an alias, MX for mail, NS for name servers, TXT for arbitrary data, SOA for zone admin info, SRV for specific services, PTR for reverse DNS.

dig

dig <domain>                      # Default A record lookup
dig <domain> A                    # Retrieve IPv4 address (A record)
dig <domain> MX                   # Retrieve mail servers (MX records)
dig <domain> NS                   # Retrieve authoritative name servers
dig <domain> TXT                  # Retrieve TXT records (SPF, DKIM, etc.)
dig @<dns_server> <domain>        # Query specific DNS server
dig +trace <domain>               # Show full DNS resolution path
dig -x <ip>                       # Reverse DNS lookup (IP to hostname)
dig +short <domain>               # Short, concise output only
dig +noall +answer <domain>       # Show only the answer section
dig <domain> ANY                  # Attempt to retrieve all record types

host

host <domain>                        # Default lookup (A and AAAA records)
host -t <record_type> <domain>       # Query specific DNS record type (e.g., MX, TXT)
host -a <domain>                     # Lookup all available records (verbose)

nslookup

nslookup                             # Start interactive mode
server <dns_server>                  # Set target DNS server
set type=<record_type>               # Set desired record type (e.g., MX, TXT)
<domain>                             # Query the domain

fierce

fierce -dns <domain>

dnsrecon

dnsrecon -d <domain> -t <record_type>

massdns

massdns -r <resolvers.txt> -t A -o S <domain_list.txt>

Subdomain Bruteforcing

dnsenum

dnsenum --enum <domain> -f <wordlist> -r

fierce

fierce --domain <domain>

dnsrecon

dnsrecon -d <domain> -D <wordlist> -t brt

amass

amass enum -active -d <domain>

puredns

puredns bruteforce <wordlist> <domain>

DNS Zone Transfers

dig axfr @<dns_server> <domain>
host -l <domain> <dns_server>
dnsrecon -d <domain> -t axfr

Restrict AXFR to trusted IPs, disable unauthorized transfers, monitor logs.

Virtual Hosts

Virtual hosting allows a single server to host multiple websites by distinguishing requests based on domain name, IP, or port. It enables efficient resource use and logical separation of hosted services. Web servers use the Host header in HTTP requests to identify which site to serve. Multiple domain names can point to the same IP, and the server maps each to the correct directory or configuration.

Types of Virtual Hosting

Type	Mechanism	Notes
Name-Based	Uses HTTP `Host` header	Most common. Requires SNI for HTTPS. Multiple domains on one IP.
IP-Based	Unique IP per website	Better isolation. Requires multiple IPs.
Port-Based	Different ports for each website	Easy to set up. Not user-friendly (e.g., `site.com:8081`).

Gobuster VHost

gobuster vhost -u http://<ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

Hosts File

Windows: C:\Windows\System32\drivers\etc\hosts Linux/MacOS: /etc/hosts

Certificate Transparency Logs

Public, append-only certificate ledger.
Detect rogue or mis-issued certificates.
Find legacy or obscure subdomains
Passive enumeration without DNS queries

crt.sh API Query

Fetches and parses all known certs for a domain

curl -s "https://crt.sh/?q=<domain>&output=json" | \
jq -r '.[].name_value' | sort -u

Filter for Specific Pattern (e.g., dev)

Filters subdomains containing 'dev'

curl -s "https://crt.sh/?q=<domain>&output=json" | \
jq -r '.[]
| select(.name_value | contains("dev")) | .name_value' | sort -u
#

Fingerprinting

curl -I <target>
# Fetch HTTP response headers (server, location, x-powered-by)

wafw00f (WAF Detection)

pip3 install git+https://github.com/EnableSecurity/wafw00f
wafw00f <target>
# Detect Web Application Firewall and its type

Nikto (Fingerprinting Mode)

git clone https://github.com/sullo/nikto
cd nikto/program
./nikto.pl -h <target> -Tuning b
# -Tuning b: fingerprinting mode for outdated tech, headers, platforms

WhatWeb

sudo apt install whatweb
whatweb <target>
# Web stack fingerprinting via HTTP response analysis

Nmap

nmap -sV -O <target>
# -sV: service/version detection
# -O: OS detection based on TCP/IP stack

Crawling

gobuster

gobuster dir -u http://<domain> -w <wordlist>
# Directory enumeration using wordlist

hakrawler

hakrawler -url http://<domain> -depth 3 -usewayback -plain
# Fast crawl with depth limit, includes Wayback Machine data

Scrapy

scrapy startproject myproject
cd myproject
scrapy genspider example example.com
scrapy crawl example
# Create and run a custom spider for the domain

Automated Web Reconnaissance

FinalRecon

./finalrecon.py --full --url <target>

Recon-ng

./recon-ng
modules load <module>       # Load recon module
options set KEY VALUE       # Set module options
run                         # Execute module

theHarvester

theHarvester -d <domain> -l 500 -b google

SpiderFoot

Access UI: http://127.0.0.1:8080

git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot
pip3 install -r requirements.txt
python3 sf.py -l 8080

Automated Spider

ReconSpider

python3 ReconSpider.py http://<target>

Search Engine Discovery

Common Operators

Operator	Description	Example
`site:`	Search within domain	`site:example.com`
`inurl:`	URL contains keyword	`inurl:login`
`filetype:`	Search specific file types	`filetype:pdf`
`intitle:`	Title contains keyword	`intitle:"index of"`
`intext:`	Body contains keyword	`intext:"password reset"`
`cache:`	View cached page	`cache:example.com`
`link:`	Pages linking to target	`link:example.com`
`related:`	Related websites	`related:example.com`
`info:`	Info about page	`info:example.com`
`define:`	Word definitions	`define:phishing`
`numrange:`	Search numbers in range	`numrange:1000-2000`
`allintext:`	All terms in body	`allintext:admin password reset`
`allinurl:`	All terms in URL	`allinurl:admin panel`
`allintitle:`	All terms in title	`allintitle:index of backup`
`AND / OR / NOT`	Boolean logic for refinement	`site:example.com AND inurl:admin`
`*`	Wildcard for one or more terms	`"user * manual"`
`..`	Numeric range shortcut	`"price" 100..500`
`" "`	Exact phrase search	`"sensitive internal document"`
`-`	Exclude term from result	`site:gov.com -inurl:login`

Dork Examples

site:example.com inurl:login
site:example.com filetype:pdf
site:example.com inurl:config.php
site:example.com filetype:sql

Web Archives

Passive Recon with Wayback Machine

Recursively download archived website version

wget -r -np -k http://web.archive.org/web/<snapshot_id>/<site>

List available snapshots

curl -s https://web.archive.org/web/*/https://<domain>

Domains & DNS

Author: BobBuilder

WHOIS

Basic WHOIS Query

DNS

DNS Record Types

dig

host

nslookup

fierce

dnsrecon

massdns

Subdomain Bruteforcing

dnsenum

fierce

dnsrecon

amass

puredns

DNS Zone Transfers

Virtual Hosts

Types of Virtual Hosting

Gobuster VHost

Hosts File

Certificate Transparency Logs

crt.sh API Query

Filter for Specific Pattern (e.g., dev)

Fingerprinting

HTTP Banner Grabbing

wafw00f (WAF Detection)

Nikto (Fingerprinting Mode)

WhatWeb

Nmap

Crawling

gobuster

hakrawler

Scrapy

Automated Web Reconnaissance

FinalRecon

Recon-ng

theHarvester

SpiderFoot

Automated Spider

ReconSpider

Search Engine Discovery

Common Operators

Dork Examples

Web Archives

Passive Recon with Wayback Machine

Recursively download archived website version

List available snapshots