Active Subdomain Enumeration

Hi all I’m stuck again, but Now, on literally the next question which is:
What is the FQDN of the IP address

Someone, please help! No spoilers plz.


You need found out the “Pointer”. Its all that will say.

Wait what do you mean? There is no pointer given if there’s one that is hidden how do you find it? is there a command I can execute?

Hi 0xh4rtz, thankyou for the clue, but could you give a bit more
of a hint without spoiling. I’ve been completely overthinking this
entire section and my brain is about to go into meltdown, ta.

Sorted now, caffeine fix :slight_smile:

Hi I was just checking in if someone got any clue that might have worked for them. I have been stuck in this question for days now it will be a great help if someone can share some clues.

The same way you used to solve the question about the TXT records you have to use in order to find the pointer record.

1 Like

Did you get past this question? I am stuck on it as well. i’ve added the IP to my /etc/hots, then I’ve tried running all the commands from the course work and get nothing but errors. I

Could you explain this further? I have ran the same commands and get no response. Also does the ip need to be added to /etc/hosts? As rn i can not get a response from the server when i try to ping the ip

i need suggestion on answer to this question , i tried command dig -x @dnserverip but no success

So, I’ve finally got it!

That’s what you have to do:
First of all I really recomend you to take some time and try to understand how dns zones work, that’s really usefull not only for this task, but also for many CTF’s.
I can recomend you to take Footprinting, and do it’s DNS section.
For this task:

  1. Check axfr of inlanefreight.htb. There you will get some domains.
  2. Now you have to check all of this domain, if they have axfr zone transfers (as you did it with inlanefreight.htb just a minute ago)
  3. By one of this domains you will get list of it’s subdomains, and just look of the ip’s of this subdomains and you will find there!
    That’s not hard, but I really want to encourage you to dive in the topic of Zone Transfers and understand how it works and how you can use it for penetration testing :wink:

thanks saved so much time. Another tedious task from htb xD much appreciated

1 Like

Try this command:

dig @ NS axfr internal.inlanefreight.htb


Hi, how can we count the different zones? I tried also to follow the Footprinting course to better understand the concept of zones and DNS in general but with no luck! I think I got that a zone can contain domain and subdomain but I don’t know how to distinguish between zones. If you can help me I really appreciate it. I don’t really want the answer but I want to understand what I’m missing!
Thanks a lot

Nslookup is not working for me for any command. Is anyone else having this issue? I added the target IP address to the hosts file and tried a variation of using the IP address and the domain with no response.


Hey, you’re probably overthinking it. The answer is much simpler and it’s hidden in plain sight.

  • Identify the which of the subdomains is actually the other zone.
  • Pretty much do the same command but with updated data. (IP and NS)
  • Just look at your screen for a bit and you’ll get it

Thanks, the advice to take the Footprinting DNS lesson was really helpful. I didn’t read the rest of your comment but just read through the Footprinting DNS module and that really helped me solve all the questions I had been stuck at.

Hey guys, to solve this question you need to use the tool “dig”.

1st: dig @<ip_address> NS axfr inlanefreight.htb

2nd: dig @<ip_address> NS axfr internal.inlanefreight.htb

For this question and the one before, I used this script:

Array of subdomains


Nameserver IP address


Loop through each subdomain and perform dig command

for subdomain in “${subdomains[@]}”; do
echo “Performing dig for $subdomain…”
dig +short TXT “$subdomain” @“$NS”
echo “”

I’ve just changed the command +short TXT` to axfr .