Hack The Box Academy - FOOTPRINTING - DNS enumeration

Hello together,

right now I’m stuck at in the FOOTPRINTING module of Hack The Box Academy in the DNS enumeration section.

I’m stuck at the following question:
“What is the FQDN of the host where the last octet ends with “x.x.x.203”?”

I already used all the big subdomain lists from the SecLists directory to enumerate the subdomains but i did not find the ip address which ends with .203. I use dnsenum for the DNS enumeration.
Can someone please give me some hints or point me to correct wordlist which can be used to find the correct ip?

Best regards

You need to systematically DIG or transfer EVERY subdomain you find, and pay attention to which DNS server you’re querying when you do it.

There are various security settings on a DNS server. Among other things, you can specify whether a zone transfer should be allowed for all servers or only for certain servers (allow-transfer).

If a zone transfer is allowed, you can transfer the zone with “dig axfr”. If the zone transfer is not allowed, you have to bruteforce the zone.

Hint: Start with the smallest list.

Hello. I’m still a newbie at this. However, I tried what you suggested in your answer. I used dig and identified the subdomains which allowed zone transfer. I enumerated the subdomains that don’t allow zone transfer. And yet, I am still lost and couldn’t figure out the solution to this question. Any more hints would be helpful since I feel frustrated and lost and spent too much time on this problem. thanks

What exactly did you try and where exactly are you stuck?

I finally got it. Thank YOU!

Thanks for the hint of the smallest list. I enumerated zones properly and couldn’t figure out what I was doing wrong. For others reading this, he means start with the smallest list in SecLists/Discovery/DNS/ first, not subdomains-top1million-5000.txt which is what I initially assumed.

1 Like

I am still having issues with this.

I wonder if somebody can give me another clue

Try to use dnsenum with any subdomain that you found on your first subdomain enumeration.


I found it with your help!


on which subdomain

Which of the subdomains are zones? Each zone has one SOA entry

It probably will take forever if you’re using the /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt. Consider using wordlists that are using common names. If the wordlist is sorted alphabetically, the hit will be near the bottom…not a big fan of how long to wait on some of these assessments.