Im stuck for almost a week here.
I tried to enumerate dns by bruteforce and found 2 domains.
I tried to zone transfer to ns, but it failed.
I tried to zone transfer to main domain, but it failed too.
fierce failed too
I tried subbrute too, but it just produces error and taking forever.
What to do now? 
EDIT: After a few seconds of posting this. I just found it out. lllllllllllllllooooooooooooolllllllllllllllllllllllllllll
@dfgdfdfgdfd I’m also stucked here, can you give me a hint please
If I remembered correctly,
you need to bruteforce the subdomain,
and when you found a valid domain, try to do axfr, or other checking on it.
Thanks i already solved it
hey bro, what tool are u used to bruteforce subdomains?
Hello! I get nothing in the resolvers.txt file after running subbrute…
It gives me Warning: No nameservers found, trying fallback list.
Any hints?
You have to modify resolver.txt file. Take a good look at the examples given. Your command should look like this.
subbrute inlane…htb -s (wordlist) -r (resolver_file)
Thanks! Let`s see if I can make it :): )
I have tried several attemps and I always get “Warning: No nameservers found, trying fallback list.”
There is something in the command wrong…
What was the issue?! Been stuck for a while with this 
Sorry for the late response, I was traveling add me on discord. It’ll be easy for me to help you there. Beri Contraster#6450
Thanks!! I got it 
The course specifies nowhere, that you should modify the resolv.conf file… It’s the 2nd time for this module when the reading material is lacking… HTB please review your content before actually doing a challenge based on that content.
Even though it’s confusing… the answer is in the same module context… yeah, i needed to make use of resolver.txt but a bit different. Remember how we make virtual hosting; that’s why the key is the resolver.txt file.
By the way you may try to use -v to see verbose mode and it might give you an idea.
The top level domains they keep interchangeably using are messing with my head, could someone please clarify? In the examples both inlanefreight.com and inlanefreight.htb are used, these ARE different sites as far as I understand, are they not?
The question is asking Find all available DNS records for the "inlanefreight.htb" domain on the target name server... Running subbrute against inlanefreight.com is giving me multiple sub-domains and nothing for .htb even though that’s the one the question is calling out. Could someone help please?
I figured it out but before that, let me subtly express that this module is as tangled as a nest of serpents and only fit only for those who have no need for clarity.
So:
inlanefreight.com is an external site (so no no to PTing) and as confusing as they effing make it by switching the TLDs all the time inlanefreight.htb is indeed the HTB Academy target.dig axfr @<IP> <sub-domain>.inlanefreight.htb should get you the answer.You have all the info you need to get the flag now, I am going to add another paragraph here since my confusion stemmed from this - zone transfers: Using abs.com and ns1.abs.com for examples, syntax for a zone transfer is dig @ns1.abs.com abs.com AXFR where:
@ns1.abs.com: Specifies the DNS server to query. NB: Find out which subdomains are DNS servers use dig abs.com NS, note it’s just abs.com there and not whatever.abs.com etc. Any subdomain listed as an NS record is a DNS server.abs.com: The domain you are trying to perform the zone transfer on. NB: If you found other subdomains like test.abs.com, support.abs.com or others and they don’t show up in the NS query, they are likely not DNS servers. Instead, these are usually regular subdomains or services. You wouldn’t perform a zone transfer on these.AXFR: a type of query used for requesting a zone transfer (stands for “Authoritative Transfer”)