Academy - Footprinting - DNS

So, I finally got it!
Thats what you should do:

  1. Check axfr of inlanefreight.htb - you will get some domains
  2. Go through the list of this domains an by each domain:
    a) Check axfr zone transfer, if it’s allowed, you’re good, just check what you’ve got
    b) If it’s not allowed, do brute-force with dnsenum, and look what you’ve got
    (If you found nothing interesting, try to use another wordlist, a tip from @camlen92 was really useful by finding a good wordlist)

And also whant to say thx to @PayloadBunny , you answers really helped me :wink:

Dude…I spent half a day on this one using wrong word lists. You easily saved me several hours. Thank you.

I have run dnsenum on every subdomain and still can’t seem to find the answer. I first zone transferred into internal.inlanefreight.htb. I see there’s a few subdomains, I tried axfr into each but was denied. When I try brute forcing each of the subdomains I get a “query timed out” error. I’ve tried both of the wordlists from the hints in this thread and still can’t seem to find a solution. Any feedback would be greatly appreciated. Been stuck on this for about 6 hours.

I’ve also reset the box many times, I’m 100% lost on this one

You can DM me so we can go over details without spoiling. I’m not sure how to give advice on this one without dropping a spoiler.

Thanks Ezi0! The wordlist tip was just what I needed.

Can someone help me with this issue? I have attempted to restart the machine…I am utilizing a subdomain bruteforcer tool.


I literally tried everything. tried zone transferring every single subdomain and bruteforced with multiple wordlists. If someone wants to DM me that would be appreciated. I honestly gave up on this one for the time being.

someone on discord helped me. if anyone need a hint DM me


Gonna drop the biggest hint. So if you are having trouble, look at what a "zone’ is. A zone is a different network or subnet. When we zone transfer the domain we see that we have subdomains with differing IPs. So by furthering enumeration we can axfr another one of the zones (differing IPs). But see we cannot axfr the remaining zone. This requires brute forcing it. Use dnsenum as the bash script is a bit slower.

1 Like

Thanks for all the help guys. I have to be honest with the tasks in these sections they seem unnecessarily hard for beginners. I think they could be worded better and better hints to be brutally honest - not a fan of these!

1 Like

Thank you for the hint!
I was having a “Fierce” battle with this for a majority of the day.

Wow this module and last question taught me things I do when trying a box. So lesson is don’t always do what it tells you, but take a hint from it and keep enumerating until your eyes bleed. MIne bled XD

Hello ive been stuck on “Submit the number of all “A” records from all zones as the answer.”

Please help

Enumerate the sub domains. How many were enumerated with an A record? If you dont understand what an A record is re-read your modules. It talks about it with examples. Make sure you have your “A” record in your /etc/hosts file so you can Enumerate everything on the network.

You can do it with gobuster dns enumeration! You will find were you looking for :slight_smile:


DO NOT let the internal/external thing fool you. Some of these forward-facing addresses are indeed subdomains with hidden hosts, although they aren’t allowed “on-record”

It’s a matter of pointing and shooting at the right one.

I used the custom script with the [repeatively-mentioned list] on one of these domains and the host popped up in the results.

As many said here, the key is to use the appropriate wordlist. One of the small ones in SecLists is the key one.

Just follow the steps in the lesson.

Try zone transfer for each sub-domains you see
For the zone you cannot zone transfer, use the dnsenum command shown in the lesson. (Just use the right wordlist from seclist.).

If you run into the error - NS record query failed: NOERROR via the tool dnsenum - try to respawn the machine. I spent 2 hours research on it, just to see that the command was right.