Make sure you know the legalities of enumerating DNS for subdomain resolution – This is considered brute force and it is an active (not passive) scan, which could result in legal issues if you do not have permission to perform the security check.


You want to get an idea what an attacker might discover in your network.  An attack would probably want to get a look at the machines in the network.  The layout can be determined by passive means (using some google “hacks” queries), or by brute force means.


One command that is useful to see if a subdomain or DNS exists is the “host” command in Linux.

From the command line, you could use host on a DNS you have permission to work with, like so:

host [valid domain]

which will return mail servers.  You can set some flags like -t mx (mail servers) or -t ns for name servers.

There’s plenty of other parameters you can use… check out host -h for more.

If you use host on a subdomain, you’ll get back it’s ip address and information regarding if it’s a valid location.  In other words:

host [sub].[domain] 

would return [sub].[domain] has address x.x.x.x


 As a reminder, be sure to check the legalities of any DNS enumeration scripting.  Even if you own the domain, this can be a legal issue with the hosting provider, etc.  Be sure that you have covered all legal aspects before attempting.

By enumeration, we’re talking about taking guess after guess to see if a host exists.  Thereby getting hits of what exists and what doesn’t.  You could come up with 5 or 10 words you think are common to domains, like:




Then try them with host admin.[domain], etc.

An attack would likely use many different words to try and guess a variety of useful domains/sbudomains.  You could run them one by one… or you could write a script to do the work for you.

Bash Script



while read p; do

    if host $p.[some domain] | grep "has address"; then echo "$p.[some domain]"; fi

done < dns.txt

Where dns.txt is a dictionary file of words that I’m iterating over.  You can find such dictionaries all over by searching for, “dns enumeration dictionary” – some files are small 20k, and some are huge (3MB.)  The larger the file, the more traffic this will produce, as you could be running millions of calls to look up subdomains info.

The if statement above checks if the words “has address” are returned.  If it is, it’s printed out, if it isn’t, its dropped… that way we don’t get spam of every failed subdomain check.

By changing our script to executable (chmod 755), we can then run it to output to a file: ./ > dns_result.txt

Our dictionary file might have some gems, which might return valid entries for:


Leave a Reply

Your email address will not be published. Required fields are marked *