Quickly mapping an organisations attack surface is an essential skill for network attackers (penetration testers, bug bounty hunters) as well as those who are defending the network (network security folks, system administrators, blue teams etc).

A detailed footprint of an organisations Internet facing systems is a tactical resource that can be used by both attackers and defenders. By developing an understanding of the attack surface skilled security analysts are able to quickly identify weak areas in the attack surface.

Finding visible hosts from the attackers perspective is an important part of the security assessment process.

DNS reconnaissance is part of the information gathering stage on a penetration test engagement.When a penetration tester is performing a DNS reconnaissance is trying to obtain as much as information as he can regarding the DNS servers and their records.The information that can be gathered it can disclose the network infrastructure of the company without alerting the IDS/IPS.


Here is some general tools that can help fingerprinting a domain name.


    Brute Forcing

    Nice buttons on your page.

    Passive DNS

    Passive DNS data

    Reverse DNS

    Reverse DNS lookup


    WHOIS Lookup gives you the ability to lookup any generic domains to find out the registered domain holder.