DNS analysis

By examining DNS records and certificates issued for a domain, we can passively learn about:

🗺️ Public domains and subdomains used by the company
📮 Mail Server configuration through MX records
✍️ Externally connected apps through TXT records
🧑 Targets for social engineering attacks
🛣️ Servers and IP ranges
...

Inspect DNS Records

You can examine DNS records using:

nslookup
dig
subfinder
Sublist3r
DNSRecon (⚠️, not all usages are passive)
TheHarvester
dnsdumpster (+subdomains)
netcraft searchdns/sitereport
viewdns (dig)
VirusTotal details (dig) + relations (+subdomains)
domain.glass (outdated version of VirusTotal)

Inspect Registrar Information

You can find social engineering information using:

Inspect IP Ranges

Find which IP ranges are owned by a company:

arin (US) and ripe (EU)
BGP Toolkit
netcraft

Certificate Transparency (CT)

Another popular way to find subdomains is to study the generated certificate. A SSL certificate is generate for usually multiple domains, so we may find subdomains or other domains like this.

SSL Tools such as crt.sh
TheHarvester

👻 To-do 👻

Stuff that I found, but never read/used yet.

knock (passive or brute force python tool)

DNS analysis ¶

Inspect DNS Records ¶

Inspect Registrar Information ¶

Inspect IP Ranges ¶

Certificate Transparency (CT) ¶