Academy - Footprinting - DNS

How to know what zones are not allowed?

Basically you should perform the zone transfer of inlanefreight.htb (dig axfr) based on the data it delivers (A) list one by one (dig axfr) when it does not deliver information proceed to brute force with dnsenum and using a dictionary that above deliver the track (ls /opt/useful/SecLists/Discovery/DNS/).

1 Like

Not all (A) deliver information with dnsenum, list one by one.


I wonder if anyone can help.

When runing dnsenum on given dns server why I get following error:

unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 900 thread 1.

Trying Zone Transfer for inlanefreight.htb on ns.inlanefreight.htb …
AXFR record query failed: no nameservers

Any advice would be helpful.

P.S. No help needed to find FQDN (that part was easy)

I finally got it! I was able to follow the chats and replies. Key things to note:

  • you have to brute-force eventually but not on “inlanefreight.htb”, it allows zone transfers (so dig axfr… works to give subdomains).

  • use fi3rc3-h0stlist.txt (check the github repo for seclists for the proper spelling) as the word list, so just change the path you’re using for your dnsenum

  • lastly, you need to try dnsenum with that wordlist change on the subdomains that don’t allow zone transfers from “inlanefreight.htb” (like app.inlanefreight.htb, dev.inlanefreight.htb, etc. and most importantly don’t get distracted by “internal.inlanefreight.htb”, that’s not where to go…not even close.

@camlen92 @PayloadBunny really helped me here. Thanks so much guys!

So, I don’t know if anyone already posted the same answer but I will try to explain how I did it in a way that doesn’t spoil and that connects back to things explained in the module itself.

  1. The first thing they talk about is the “dangerous options”. A DNS server can be set to allow queries, allow transfers or both. With “dig axfr…” you do a transfer. With dnsenum or using “dig any/ns/…” you do a query. If I am wrong here, please someone correct me so I don’t spread misinformation.

  2. Now, the primary name server is inlanefreight.htb. It allows to be both queried and transferred. It has many secondary name servers but only 2 are dangerous. Each one of them has only one of the “dangerous options” enabled.

  3. The key moment is to enumerate fiercely.

1 Like

I also got stuck for several hours in the last exercise of this topic. Something that helped me was going back to the beginning. Look at the pictures and diagrams. Try to understand them. That will give you a hint for the answer. Use the dictionary that everyone talks about, the fierce on.

Thanks to all for the help, i was stuck for a couple hours but finally got it.

Can anyone telling me why my dig axfr command is not working? From what I can tell my syntax is the same as everyone else except my command line is treating the @ symbol differently and giving me a parser error. Is there a way to give the IP address without having to use the @ symbol?


because is not a DNS Zone

I don’t think that is the issue.


No idea what machine you are on. Just tried it with the HTB PwnBox. Works fine.

Haha I have been doing everything through the PwnBox PowerShell instead of the terminal. Thanks for the help!

1 Like

How did you know what wordlist use?

Besides the best hints from Payload Bunny, there are two thing that I spent way too much time on:

  • I didn’t need to do anything with /etc/hosts to solve this module. Not sure what people are doing with that.
  • I didn’t need to find a different IP (and then point to that) in addition to the one Target IP provided by the exercise. Stick to the provided Target IP.

I am curious, I wonder how you determine which domains could be a zone? (and so should brute force if you can’t zone transfer)

In case anyone is still having a hard time. All the answers are in these threads but –

dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt --threads 90 dev.inlanefreight.htb


Sorry, I’ve just seen it

Wow that was frustrating for sure. The hints help and try and try and try each subdomain. Eventually found .203. For sure be “fierce” about the list you use.

1 Like

The wordlist used in the Subdomain Brute Forcing example doesn’t contain the correct word. Only 4 of the 13 wordlists in Discovery/DNS have the correct word. Why would you do that to us? :tired_face:


Thank you. This helped me out a lot. I was in the right direction, but was missing the right wordlist.