dnsenum Cheat Sheet
Perl DNS enumerator for zone transfers, subdomain brute force, reverse lookups, and WHOIS.
Overview
dnsenum automates DNS reconnaissance: AXFR attempts, subdomain guessing, Google scraping, WHOIS netblock enumeration, and reverse DNS. Common on older workflows and CTF; complements dnsrecon and passive OSINT.
Authorized testing only. Zone transfers and brute force generate DNS queries against authoritative servers—stay in scope.
Install
sudo apt install -y dnsenumdnsenum.plEssential commands
Basic enum
dnsenum target.example.comSubdomain brute with file
dnsenum -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt target.example.comNo reverse / no whois (faster)
dnsenum --noreverse --nowhois target.example.comCommon workflows
Zone transfer test —
dnsenum -s 0 -f subdomains.txt target.example.comSave output —
dnsenum -o dnsenum.xml target.example.comUse specific resolvers —
dnsenum --dnsserver 8.8.8.8 target.example.comThreaded brute —
dnsenum -f subdomains.txt -t 20 target.example.comFlags reference
-f | Subdomain wordlist |
|---|---|
-o | XML output file |
-t | Threads for brute |
--dnsserver | Use specific DNS server |
--enum | Short for standard enum |
--noreverse | Skip reverse lookup phase |
--nowhois | Skip WHOIS |
-s | Maximum subdomain depth |
-r | Perform reverse on netblocks |
-p | Create glue domains (advanced) |
Tips
- Successful AXFR is a critical finding—verify and report immediately.
- Google scraping (-g) may be rate-limited; prefer passive CT with subfinder.
- Parse XML or grep output for feeding httpx.
- Pair with dig axfr @ns1.target.example.com target.example.com for manual confirmation.