We discussed some passive DNS recon techniques, but that’s only half of the story. There is also the active DNS reconnaissance that involves generating actual DNS requests to gather data. Active DNS recon does not rely on information footprints and secondary sources. Thus it enables us to get more up-to-date information on target systems.
So how do we send the DNS queries? We want to control what exact request we send and bypass DNS caching on the local system, so using getaddrinfo() is out of question. Simplest way is to use nslookup(1) - a standard POSIX tool for doing DNS queries:
We can differentiate between successful and failed queries by checking the return code. It will be 0 on success on 1 on failure. That can be useful when checking a list of gueesses for subdomains in a shell script.
Another, more flexible tool to query DNS servers is dig(1). Depending on specifics of your exact system you may need to install it separately. It provides the output in a different, more machine readable form: