In security research and ethical hacking, DNS enumeration is the first phase in the information gathering of a target. It’s the process of querying all potential DNS records from a domain name server like name server details, IP addresses, Mail exchanger details, TTLs, and more. Attackers may utilize this DNS-enumerated information to examine internal network records. There are numerous DNS recon and online enumeration tools available on the internet. However, the DNS enumeration can be accomplished easily with a single command-line utility. That is “HOST”. In this article, we’ll look at some useful host Command Examples for Querying DNS Details. Let’s get started!
Installation
The “HOST” command sometimes may not be available by default on a newly installed machine. As a result, You’ll have to install it manually on the system. The process of installation is rather simple. All the DNS-related commands like nslookup, dig and host are contained in the “bind-utils” library. For that, just type the following command in the terminal. This HOST command works on both MAC and Linux.
Usage
General syntax: The general “host” command prints the command’s overall syntax and its arguments that can be used with it, as well as a brief description of each argument. Sample Output:
To find the domain IP address
To find the IP address of a particular domain, simply pass the target domain name as an argument after the host command. Sample Output: For a comprehensive lookup using the verbose mode, use -a or -v flag option. Sample Output: This (-a) option is used to Find All Domain Records and Zones Information. You can also notice the local DNS server address utilized for the lookup.
To perform Reverse Lookup
This command performs a reverse lookup on the IP address and displays the hostname or domain name. As an example, the syntax would be as follows: Sample Output: If you copy-paste the pointer address ( li685-110.members.linode.com.) in the web browser, you will be redirected to the website.
To find Domain Name servers
Use the -t option to get the domain name servers. It’s used to specify the query type. Here I am passing -t argument to find name servers of a specific domain name. NS record specifies the authoritative nameservers. Sample Output:
To query certain domain nameserver
To query details about a specific authoritative domain name server, use the below command. Sample Output:
To find domain MX records
To get a list of a domain’s MX ( Mail Exchanger ) records. Sample Output: This MX record is responsible for directing an email to a mail server.
To find domain TXT records
To get a list of a domain’s TXT ( human-readable information about a domain server ) record. Sample Output:
To find domain SOA record
To get a list of a domain’s SOA ( start of authority ) record Sample Output: Use the command below to compare the SOA records from all authoritative nameservers for a particular zone ( the specific portion of the DNS namespace ). Sample Output:
To find domain CNAME records
CNAME stands for canonical name record. This DNS record is responsible for redirecting one domain to another, which means it maps the original domain name to an alias. To find out the domain CNAME DNS records, use the below command. Sample Output: If the target domain name has any CNAME records, they will be displayed after running the command.
To find domain TTL information
TTL Stands for Time to live. It is a part of the Domain Name Server. It is automatically set by an authoritative nameserver for each DNS record. In simple words, TTL refers to how long a DNS server caches a record before refreshing the data. Use the below command to see the TTL information of a domain name. Sample Output:
Conclusion
I hope you found this article helpful in learning some useful host Command Examples for Querying DNS Details. You may also be interested in learning about free online tools to check DNS records of a domain name.