Skip to main content

DIG

This section will cover some ways to enumerate a domain using DIG.

Table of Contents
  • Overview
  • Queries
    • A Records
    • PTR Records
    • ANY Existing Records
    • TXT Records
    • MX Records
    • AXFR Records

Overview

DIG allows us to obtain detailed information on a domain when performing a lookup which can be used during an engagement.

We can use the at (@) symbol to specify the IP address of the DNS server we wish to use.

Queries

There are many queries and ways that DIG can be used.

The following queries will be covered here:

  • A Records
  • PTR Records
  • ANY Existing Records
  • TXT Records
  • MX Records
  • AXFR Records

A Records

By default, dig will query DNS A records when nothing is specified. Alternatively, we can use A to specify dig to lookup A records.

dig a www.google.com @9.9.9.9

Command breakdown:

  • a - Specify to query A records.
  • www.google.com - Specify the domain to query.
  • @9.9.9.9 - Specify the DNS server to use.

dig1.png

PTR Records

Pointer (PTR) records maps an IP address to a domain name. We can find the domain name if we have the IP address of it. To perform a query on PTR records, use the -x flag.

An example will be obtaining the domain name for 8.8.8.8.

dig -x 8.8.8.8 @9.9.9.9

Command breakdown:

  • -x - Specify to perform a query on PTR records.
  • 8.8.8.8 - Specify the IP address to query.
  • @9.9.9.9 - Specify the IP address of the DNS server.

dig2.png

ANY Existing Records

We can use any to query ANY records. In RFC8482, it specifies that ANY DNS requests be abolished. Therefore, we might not get a response to our ANY request from the DNS server.

dig any google.com @8.8.8.8

Command breakdown:

  • any - Specify to query ANY records.
  • google.com - Specify the domain to query.
  • @8.8.8.8 - Specify the IP address of the DNS server.

dig3.png

TXT Records

TXT records store notes within the DNS server. We can use txt to query them.

dig txt google.com @9.9.9.9

Command breakdown:

  • txt - Specify to query TXT records.
  • google.com - Specify the domain to query.
  • @9.9.9.9 - Specify the IP address of the DNS server.

dig4.png

MX Records

Mail Exchange (MX) records directs email to a mail server that is responsible for accepting emails on behalf of a domain. There can be multiple records with different priority levels.

We can use mx to query MX records.

dig mx google.com @9.9.9.9

Command breakdown:

  • mx - Specify to query MX records.
  • google.com - Specify the domain to query.
  • @9.9.9.9 - Specify the IP address of the DNS server.

dig5.png

AXFR Records

We can use AXFR to perform a zone transfer.

dig axfr inlanefreight.htb @10.129.8.113

Command breakdown:

  • axfr - Specify to query AXFR records.
  • inlanefreight.htb - Specify the domain.
  • @10.129.8.113 - Specify the IP address of the DNS server.

dig6.png