DNS records hold a surprising amount of host information. By brute forcing them we can reveal additional targets. Also, DNS entries often give away information, for example “mail” indicating that we are obviously dealing with the mail server, or Cloudflare’s default DNS entry “direct” which most of the time will point to the IP that they are trying to protect.
Most of those tools are based on a dictionary of common server names, and a DNS request for each entries as a sub-domain of the domain you’re testing.
Popular open-source tools for each of those type of those attacks are given below
It is possible to enumerate all records for a given domain name.
|DNSRecon||Subdomain enumeration tool||Python|
Tools will normally attempts to enumerate DNS hostnames by brute force guessing of common sub-domains using a dictionary.
|SubBrute||Subdomain enumeration tool||Python|
|Sublist3r||Enumerate subdomains of websites using OSINT||Python|
|DNS-Discovery||A multithreaded subdomain bruteforcer||C|
|dns-brute||Attempts to enumerate DNS hostnames||Nmap Script|
|Knockpy||enumerate subdomains on a target domain||Python|
|Anubis||a subdomain enumerator and information gathering tool||Python|