Post cover image
Photo by Hakim Menikh on Unsplash

May 27, 2026

DNS Pentesting Guide For Beginners: How Hackers Exploit Port 53

Hi everyone, in this article, we’ll learn about DNS pentesting. Recently, I found myself performing a network pentest for a Bank…

Rahul Singh Chauhan

4 min read

Hi everyone, in this article, we'll learn about DNS pentesting. Recently, I found myself performing a network pentest for a Bank. Surprisingly enough, they were all CISCO devices.

So, this article would be a good refresher for anyone starting on DNS enumeration.

DNS is one of the most overlooked attack surfaces during security assessments. Misconfigured DNS servers can leak internal infrastructure, expose hidden subdomains, and sometimes even reveal sensitive systems that developers forgot existed. This has been specifically useful to me during the CPTS exam where I used one of the techniques discussed below to learn about all the sites hosted and enumerate the attack surface.

What is DNS?

DNS (Domain Name System) acts like the internet's phonebook.

Instead of remembering IP addresses like 142.250.183.46 we use domains like google.com. So, simply put, DNS converts domain names into IP addresses.

Most DNS traffic runs on:

TCP/UDP Port 53

Why is DNS Important in Pentesting?

DNS often exposes

  • Internal hostnames
  • Development servers
  • Admin panels
  • VPN gateways
  • Cloud infrastructure
  • Forgotten applications

My friend got a $100 bounty just buy performing DNS enumeration on cloudflare because they had exposed their internal website on the public internet. This was not too long ago. He found it in late 2025. So, it's not uncommon to find these issues.

Many organizations secure their websites but forget to secure DNS properly. So, we as penetration testers can use DNS reconnaissance to:

  • Map infrastructure
  • Find hidden attack surfaces
  • Discover takeover opportunities
  • Identify internal naming conventions

Identify DNS Servers

The first step is finding the domain's nameservers.

Use the following commands to enumerate the nameservers for a domain like example.com.

dig ns example.com
nslookup -type=ns example.com

<OUTPUT>
example.com.     172800  IN  NS  ns1.example.com.
example.com.     172800  IN  NS  ns2.example.com.

Now we know that ns1.example.com and ns2.example.com servers handle DNS requests.

Gather Basic DNS Records

DNS stores multiple record types.

There are various record types in DNS. Some of the important ones are listed below. (You can also expect such as question in an exam like CPSA)

A: Maps domains to IPv4 addresses
AAAA: Maps domains to IPv6 addresses
MX: Discloses mail servers
TXT: Returns text records.
CNAME: Returns alises associated with a domain.
NS: Nameservers (The one we found above)

Common DNS Records

Common DNS records can be queried using:

dig any example.com
host -a example.com

Based on the configuration, you might find the following:

  • Mail providers
  • Third-party integrations
  • Cloud services
  • Internal naming patterns

Zone Transfer Attack (AXFR)

This is one of the most famous DNS misconfigurations. It is not very uncommon to find zone transfer disabled these days.

What is a zone tranfer?

A Zone Transfer allows DNS servers to synchronize records between primary and secondary servers. If misconfigured, anyone on the internet can request the entire DNS database.

If enabled, a successful zone transfer may reveal the following:

  • Internal subdomains
  • Admin portals
  • Staging servers
  • VPN endpoints
  • Developer environments
  • Old systems

Once you've got all this information handy, you could use the discovered domains names to perform a pentest on. Companies often forget the development domains that do not have authentication disabled, have default credentials, running outdated software, lacking MFA, registration enabled.

How to Test Zone Transfers

First identify the nameserver:

dig ns example.com

Then attempt AXFR on the discovered name servers that you get as an output from above:

dig axfr @ns1.example.com example.com

If vulnerable, you may receive:

admin.example.com
vpn.example.com
dev.example.com
jira.example.com
internal-api.example.com

DNS Open Resolvers

Another common DNS misconfiguration is an Open Resolver.

I found this in the pentest which was rated a high severity by the AppSec provided that it supported critical applications for a bank.

A DNS server becomes an open resolver when it accepts recursive DNS queries from anyone on the internet instead of only trusted internal users.

This test case is only valid, if the DNS server is only meant for internal uses and would not be typically used by the public.

Normally, recursive DNS servers should only answer requests from:

  • internal employees,
  • company systems,
  • or authorized clients.

But when exposed publicly, attackers can abuse them and use the DNS server as a public DNS server.

To manually test an IP address (1.2.3.4)

dig +short ns1.example.com TXT @1.2.3.4

Subdomain Bruteforcing

Most organizations have hundreds of subdomains.

Some are public, some are forgotten and some are vulnerable.

I have worked for a cloud based company which had thousands of micro services and had a different sudomain for each staging environment, such as alpha, beta, gamma, pre-prod. In addition to this, they also had the same environments for each region.

Subdomain enumeration is one of the most valuable reconnaissance techniques in pentesting.

Tools for Subdomain Enumeration

# Subfinder
subfinder -d example.com

# Amass
amass enum -d example.com

#Assetfinder
assetfinder --subs-only example.com

DNS Bruteforcing

Passive enumeration only finds publicly known subdomains. Bruteforcing attempts to discover hidden ones. My friend used DNS bruteforcing to find an internal subdomain of CloudFlare which was exposed publicly.

# ffuf
ffuf -u http://FUZZ.example.com -w subdomains.txt -H "Host: FUZZ.example.com"

# Gobuster
gobuster dns -d example.com -w subdomains.txt

More than tools, wordlists are important. Prefer seclists or the ones from bug bounty hunters which have landed them a bounty. You can find them talking about them on twitter.

Reverse DNS Lookup

Reverse DNS maps IP address to a hostname. This would be useful if you have an IP address and you want a hostname so that you can scan for subdomains and virtual hosts.

Use:

# dig
dig -x 8.8.8.8

#host
host 8.8.8.8

Sometimes you might discover internal naming conventions like the following which might leak infra details.

prod-api-us-east.example.com

DNS Cache Snooping

DNS cache snooping is an information-gathering technique where a client queries a DNS server to determine if a specific domain is stored in its cache. If the record is cached, it indicates that a user within that network has recently visited the website.

This is also very common in companies having a large infrastructure.

You'll be able to learn:

  • Recently visited domains
  • Internal services
  • Employee activity
# Using Dig:
dig @target-dns-server google.com

# Using Nmap:
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>

Modern DNS servers usually restrict this, but misconfigurations still exist.

Subdomain Takeover Hunting

Subdomain takeover hunting is the practice of searching for and claiming abandoned subdomains that mistakenly point to deleted or expired third-party services. Sometimes DNS records point to services that no longer exist.

For example, blog.example.com might redirect the user to old-heroku-app.herokuapp.com but old-heroku-app.herokuapp.com might not actually exist. So, you could just register an app with the name old-heroku-app and redirect legitimate users to your own website.

blog.example.com → old-heroku-app.herokuapp.com

If the backend resource is deleted but DNS still points to it, attackers may claim it. This allows users to do the following:

  • Hosting malicious content
  • Phishing
  • Cookie theft
  • Brand impersonation

Tools that can help you automate:

subzy
subjack

Hope you enjoyed reading the article. Please consider subscribing and clapping for the article.

In case you are interested in CTF/THM/HTB writeups consider visiting my YouTube channel.