Active Subdomain Enumeration - HTB Academy

There are 2 zones identified.
Use the zone transfer command dig axfr… in both zones.
Only sums remain the records A.


Hi folks,

Any thoughts as to why the basic dig command is failing on the HTB box?


Figured it out, I was using the wrong terminal, needed to use Parrot terminal, not Powershell, duh.

This one was a bit “tuff” over all. But as mentioned clues is to look at the 10.x.x.x stated as “TARGET” (it changes if you restart. and either add it as ns.inlanefreight.htb in /etc/hosts OR just use it in the end of the nslookup or dig.

I finallaly got them all but this block was helpful. I also figured out there was 2 zones, eventully, is/was there a easy was to see the ZONES? With e.g. nslookup or dig? just wondering.

I really don’t understand question #2:

“Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.”

I already know the answer is “2” as it was posted on the forum. What I don’t understand is WHY?

I did a zone transfer and received over twenty records.

“dig axfr inlanefreight.htb @ns.inlanefreight.htb


“nslookup -type=any -query=AXFR inlanefreight.htb ns.inlanefreight.htb”

How do you know there are 2 zones? What makes a zone?

Is it because there are two SOA lines?

Thanks in advance!


What am I missing here?

1 Like

As per my understanding, you are adding the IP Address as “inlanefreight.htb” which is your domain name. When this IP is the name server’s IP.

1 Like


Hello 19delta4u,

I try to explain it to you as far as i understand.

We know that there are two zones becuase in the SOAP response there’s a 2.

A dns zone is a group o FQDN.

Yo can create a dns zone with a lot of dns names of the same level or only one. This zone is managed with only one dns nameserver, but, what if you have a domain with lot of trafic?

You can split it in a dedicated zone.

What if you need to add more utilites to this domain? Perhaps, you use another subdomain?

Think that dns names fall in a three.

I hope this helps you to solve this challenge.

Be careful, that 2 in the SOA response doesn’t mean there are 2 zones. That is the zone record serial number. This increments every time a change is made to the zone, so other servers can check they are running the correct version.

So in this case it’s just coincidence!

The way to find out how many zones there are is to iterate through all of the returned subdomains and see if any return a result (zone).

You can do this manually one by one, but much better is to use the output from the first transfer to read in the records and run the transfer query against them again.

nslookup -query=axfr inlanefreight.htb X.X.X.X | grep “Name:” | cut -d “:” -f2 | while read ZONE; do nslookup -query=axfr $ZONE X.X.X.X; done > zones.txt

Where X.X.X.X is the spawned server IP.


Hi I got the output, but how do you calculate is only 2? I have around 19 zones available. Someone please help me out

You are using the power shell instead of the terminal. I had the same issue.
Use the green one not the PS

Hi, I have the same question… how can we count the different zones? I tried also to follow the Footprinting course to better understand the concept of zones and DNS in general but with no luck! I think I got that a zone can contain domain and subdomain but I don’t know how to distinguish between zones. If you got a solution and you can help me I really appreciate it.

hi TitaniumKnight
I know what it is
I meant that it shows in results of dig ns inlanefreight.htb that is remote server (not my own)
In the end I solved it, it was a bit confusing, but I figured it out

Edit /etc/hosts by adding ipaddress and dns name.

This was a bit hard due to the VPN requirement:

  • Prerequirements: export TARGET="inlanefreight.htb";export TARGET_IP="x.x.x.x"
  • Then edit /etc/hosts and add your target there, inlanefreight.htb
  • Then get the name server with dig ns ${TARGET} @${TARGET_IP}
  • Add the nameserver to /etc/hosts
  • now is time to get the zones: nslookup -type=any -query=AXFR ${TARGET} ${NS}
  • After that I opened VSCodium and put those zones in a txt file, like this:
  • Now you have to discover which zone has a TXT record, you can run dig +short TXT DISCOVERED_ZONE ${NS} one by one… or you automatize this using code… I prefer to make a bash file for this kind of situation.
file="subdomains_inlanefreight.htb.txt" #the txt file you created
while read -r line; do
   dig +short TXT "$line" ${NS}; echo "";
done <$file

Then run bash and you get the flag… the trick is to dig line by line against the nameserver… looking for the TXT record.


I think you missed a @ before the nameserver :grinning:

file="subdomains_inlanefreight.htb.txt" #the txt file you created
while read -r line; do
   dig +short TXT "$line" @${NS}; echo "";
done <$file

That did the trick for me. :black_heart:


I get the exact same error. how did you solve it ?

Submit the number of all “A” records from all zones as the answer.

Did this:

Blockquote dig axfr inlanefreight.htb @ns2.inlanefreight.htb | grep “IN\sA\s” | wc -l + ig axfr inlanefreight.htb @ns2.inlanefreight.htb | grep “IN\sA\s” | wc -l

Added both outcomes up but that was not the good answer. What did i do wrong?

I would scrap whatever you have here. I did this and it worked nicely to calculate the A records for each ns. REMEMBER: DO THIS FOR EACH NS IF USING MY COMMAND.

dig axfr inlanefreight.htb @IPADDR | grep -E "IN      A|IN A" | wc -l

I’m sure there’s a better way to write this, but I’m tired and felt lazy and it worked.


set your vpn to use OpenVPN protocol