When someone types a website address into their browser, they probably don’t think about what happens in the background. But for a pentester, understanding that process is key.
DNS (Domain Name System) is what makes the internet usable. Instead of remembering IP addresses like 192.168.1.1, we use domain names like example.com, and DNS takes care of translating between the two.
For pentesters, DNS can be a goldmine. It helps us map out a target’s infrastructure, find hidden subdomains, and sometimes even pull-down entire zone files if misconfigurations allow it.
Forward lookups
The most basic DNS query is a forward lookup – this is where we take a domain name and resolve it to an IP address.
When you visit a website, your device reaches out to a DNS server and asks, “What’s the IP address for this domain?”
The server responds with the correct IP, and your browser connects to it.
For pentesters, forward lookups are useful because they help us identify the infrastructure behind a domain. If a company has multiple domains pointing to different IPs, this can give us clues about their hosting setup, external services, or even cloud providers they use.
A simple way to perform a forward lookup is with nslookup:
This shows us that we are asking the DNS server at 1.1.1.1 to give us information about www.google.com and we get back an IPv4 and IPv6 address.
If we wanted to find more subdomains for google.com we could automate forward lookups by using tools like fierce and dnsenum.
If we wanted a bit more control over which subdomains we were looking for, we could create a file with a list, and then automate the lookup process ourselves.
If I have a file called subdomains with the contents:
test
demo
maps
I can run a command to see if any of these resolve to an IP address:
This shows that I can conduct forward lookups and add any line that does not include the phrase ‘not found’ to a potential list of target devices.
Reverse Lookups
A reverse lookup does the opposite of a forward lookup – it takes an IP address and tries to find the domain name associated with it.
This is useful for pentesters because it can reveal hidden infrastructure that a company might not expect to be exposed.
For example, let’s say we find an IP address during a pentest. Running a reverse lookup might tell us that it belongs to internal.example.com, which could be a staging server or an internal tool. This kind of information can be useful when trying to map out a target’s network.
You can perform a reverse lookup using nslookup.
This shows us that while we may not already know the name of the machine 8.8.8.8 by doing a reverse lookup we can see that it’s called dns.google.
This can help when it comes to prioritising potential targets within an IP range that we may be exploring.
Zone transfers
While forward and reverse lookups require us to know a specific domain name or IP that we are interested in, zone transfers give us the opportunity to grab all the information about a domain.
A zone transfer is a process where one DNS server shares its entire list of records with another DNS server for redundancy.
But if this isn’t locked down properly, anyone can request a copy of the entire DNS zone file, which exposes every subdomain, mail server, and internal hostname the company has.
To be able to achieve a zone transfer, we need to know which DNS servers are the ‘authoritative name servers’ for a domain. These are the Name Servers that hold all the domain information, so these are the servers that we want to talk to.
*Note: For this example, we are going to be looking at the zonetransfer.me domain
To identify a name server, we can use the host command:
This uses the host tool to request only Name Servers (NS) used by the domain zonetransfer.me
Once we have this information, we can ask these servers for a zone transfer by using the command host -t axfr zonetransfer.me nsztm1.digi.ninja
This command has asked the server nsztm1.digi.ninja for all the information about zonetransfer.me, and been able to identify subdomains and IP addresses that we may not be aware of.
As pentesters, this can help us expand our understanding of the attack surface of a client by identifying more of their systems.
For more learning resources and video tutorials, visit our YouTube channel.