DNS enumeration AXFR vs bruteforce?

Hello guys, I’ve this question from the INFORMATION GATHERING - WEB EDITION module in the Active Subdomain Enumeration section.

The section states that there’s no need for further enumeration in the case we have the luck of find a DNS server which is allowing AXFR (fragment 2. Testing for ANY and AXFR Zone Transfer), however in the next fragment (Gobuster) it says that if we discover a pattern in the domain names we can use gobuster with the dns module to perform a bruteforce for subdomain enumeration, so my question is…
When using certificate transparency is there any chance that there are subdomains not listed? (maybe because they don’t have a digital certificate) and in case like this we can leverage subdomain bruteforcing?

So in simple words:
If AXFR is allowed → jackpot, no need for futher subdomain enumeration
If AXFR not allowed → check certificate transparency websites → identify patterns → perform bruteforce

Am I right? I’m just trying to put pieces together

1 Like

I would say you are thinking about it right. You are definitely correct in choosing brute force as a last resort. That will be mentioned in other brute forcing modules later on. Not to say brute force methods are not effective, they just take up more time and resources. Or in the case of a pen test, brute forcing may create noise on the network which could draw unwanted attention.

1 Like