Domain Intelligence
Reconnaissance
Domain reconnaissance is the first step in mapping an organization's external footprint. This involves identifying registered domains, subdomains, DNS records, and certificate transparency logs.
Passive vs Active
Domain intelligence is primarily passive reconnaissance. You can gather extensive information without
ever touching the target's infrastructure directly, making it safe and legal for initial scoping.
Tool Installation
Subfinder
SubdomainFast passive subdomain enumeration tool using multiple sources.
Installation
bash
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestAmass
ReconOWASP's comprehensive attack surface mapping tool.
Installation
bash
go install -v github.com/owasp-amass/amass/v4/...@masterAssetfinder
SubdomainFind domains and subdomains related to a given domain.
Installation
bash
go install github.com/tomnomnom/assetfinder@latestFindomain
SubdomainCross-platform subdomain enumerator with monitoring capabilities.
Installation
bash
cargo install findomainDNSRecon
DNSDNS enumeration script with multiple query types.
Installation
bash
pip install dnsreconMassDNS
DNSHigh-performance DNS stub resolver for bulk lookups.
Installation
bash
git clone https://github.com/blechschmidt/massdns.git && cd massdns && makeWHOIS Lookups
WHOIS records reveal domain ownership, registration dates, nameservers, and sometimes contact information.
bash
# Basic WHOIS lookup
whois target.com
# Query specific WHOIS server
whois -h whois.arin.net target.com # ARIN (North America)
whois -h whois.ripe.net target.com # RIPE (Europe)
whois -h whois.apnic.net target.com # APNIC (Asia-Pacific)
# Parse specific fields
whois target.com | grep -E "Registrant|Admin|Tech|Name Server"
# Reverse WHOIS (find other domains by same registrant)
# Use: https://viewdns.info/reversewhois/
# Or Amass intel module
amass intel -whois -d target.comDNS Record Enumeration
bash
# Query all record types
dig target.com ANY +noall +answer
dig target.com A +short
dig target.com AAAA +short
dig target.com MX +short
dig target.com TXT +short
dig target.com NS +short
dig target.com SOA +short
dig target.com CNAME +short
# Alternative tools
host -a target.com
nslookup -type=any target.com
# Check SPF/DKIM/DMARC records (useful for phishing assessment)
dig target.com TXT | grep "spf"
dig _dmarc.target.com TXT
dig selector._domainkey.target.com TXT
# DNSRecon comprehensive scan
dnsrecon -d target.com -t std
dnsrecon -d target.com -t brt -D /usr/share/wordlists/subdomains.txt
# Check for DNSSEC
dig target.com DNSKEY +dnssecZone Transfer Attempts
Rarely Works
Zone transfers (AXFR) are typically disabled on properly configured DNS servers.
However, it's always worth checking as misconfigurations still occur.
bash
# First, find nameservers
dig target.com NS +short
# Attempt zone transfer on each nameserver
dig axfr @ns1.target.com target.com
dig axfr @ns2.target.com target.com
# Using host command
host -l target.com ns1.target.com
# DNSRecon zone transfer
dnsrecon -d target.com -t axfr
# Fierce for DNS enumeration with zone transfer check
fierce --domain target.comSubdomain Enumeration
bash
# Subfinder - fastest passive enumeration
subfinder -d target.com -o subs.txt
subfinder -d target.com -all -o subs.txt # Use all sources
subfinder -dL domains.txt -o all_subs.txt # Multiple domains
# Amass - most comprehensive
amass enum -passive -d target.com -o amass_passive.txt
amass enum -active -d target.com -o amass_active.txt
amass enum -brute -d target.com -w /path/to/wordlist.txt
# Assetfinder
assetfinder --subs-only target.com > assetfinder.txt
# Findomain
findomain -t target.com -o # Outputs to target.com.txt
findomain -t target.com -u subs.txt # Unique output
# Combine all results and deduplicate
cat subs.txt amass_passive.txt assetfinder.txt | sort -u > all_subdomains.txt
# Verify subdomains are alive
cat all_subdomains.txt | httpx -silent -o live_subdomains.txt
# MassDNS for bulk resolution
massdns -r resolvers.txt -t A -o S all_subdomains.txt > resolved.txtCertificate Transparency Logs
CT logs are a goldmine for subdomain discovery. Every SSL certificate issued is logged publicly.
bash
# crt.sh - most popular CT log search
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
# Parse and clean results
curl -s "https://crt.sh/?q=%.target.com&output=json" | \
jq -r '.[].name_value' | \
sed 's/\*\.//g' | \
sort -u > ct_subdomains.txt
# Using subfinder with CT sources
subfinder -d target.com -sources crtsh,certspotter,censys
# Certspotter API
curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | \
jq -r '.[].dns_names[]' | sort -u
# Facebook CT search (requires access token)
curl "https://graph.facebook.com/certificates?query=target.com&access_token=TOKEN"DNS History & Passive DNS
bash
# SecurityTrails API (requires free API key)
curl -s "https://api.securitytrails.com/v1/domain/target.com" \
-H "APIKEY: YOUR_API_KEY" | jq
# Get historical DNS data
curl -s "https://api.securitytrails.com/v1/history/target.com/dns/a" \
-H "APIKEY: YOUR_API_KEY" | jq
# VirusTotal passive DNS (requires API key)
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=KEY&domain=target.com"
# Online resources for DNS history:
# - SecurityTrails: https://securitytrails.com
# - ViewDNS: https://viewdns.info
# - DNSDumpster: https://dnsdumpster.com
# - PassiveTotal: https://community.riskiq.com
# - Robtex: https://www.robtex.comReverse DNS & IP Intelligence
bash
# Reverse DNS lookup
dig -x 192.168.1.1 +short
host 192.168.1.1
nslookup 192.168.1.1
# Reverse DNS for entire subnet
# Using DNSRecon
dnsrecon -r 192.168.1.0/24 -n 8.8.8.8
# Using Nmap
nmap -sL 192.168.1.0/24 | grep "(" | awk '{print $5, $6}'
# Find all IPs for a domain
dig target.com +short
host target.com
# BGP/ASN lookup to find IP ranges
# Find ASN
curl -s "https://api.bgpview.io/search?query_term=target+company" | jq
# Get prefixes for ASN
curl -s "https://api.bgpview.io/asn/12345/prefixes" | jq '.data.ipv4_prefixes[].prefix'
# Whois on IP
whois 192.168.1.1 | grep -E "NetRange|CIDR|OrgName"External Resources
DNSDumpster
Free domain research tool with DNS mapping
SecurityTrails
Historical DNS data and domain intelligence
crt.sh
Certificate Transparency log search
ViewDNS.info
Multiple DNS tools including reverse WHOIS
BGP Toolkit
Hurricane Electric BGP/ASN lookup
reconFTW
Automated reconnaissance workflow tool