Hack The Box Academy - FOOTPRINTING - DNS enumeration

Hello together,

right now I’m stuck at in the FOOTPRINTING module of Hack The Box Academy in the DNS enumeration section.

I’m stuck at the following question:
“What is the FQDN of the host where the last octet ends with “x.x.x.203”?”

I already used all the big subdomain lists from the SecLists directory to enumerate the subdomains but i did not find the ip address which ends with .203. I use dnsenum for the DNS enumeration.
Can someone please give me some hints or point me to correct wordlist which can be used to find the correct ip?

Best regards

You need to systematically DIG or transfer EVERY subdomain you find, and pay attention to which DNS server you’re querying when you do it.

There are various security settings on a DNS server. Among other things, you can specify whether a zone transfer should be allowed for all servers or only for certain servers (allow-transfer).

If a zone transfer is allowed, you can transfer the zone with “dig axfr”. If the zone transfer is not allowed, you have to bruteforce the zone.

Hint: Start with the smallest list.

1 Like

Hello. I’m still a newbie at this. However, I tried what you suggested in your answer. I used dig and identified the subdomains which allowed zone transfer. I enumerated the subdomains that don’t allow zone transfer. And yet, I am still lost and couldn’t figure out the solution to this question. Any more hints would be helpful since I feel frustrated and lost and spent too much time on this problem. thanks

What exactly did you try and where exactly are you stuck?

I finally got it. Thank YOU!

Thanks for the hint of the smallest list. I enumerated zones properly and couldn’t figure out what I was doing wrong. For others reading this, he means start with the smallest list in SecLists/Discovery/DNS/ first, not subdomains-top1million-5000.txt which is what I initially assumed.

1 Like

I am still having issues with this.

I wonder if somebody can give me another clue

Try to use dnsenum with any subdomain that you found on your first subdomain enumeration.


I found it with your help!


on which subdomain

Which of the subdomains are zones? Each zone has one SOA entry

It probably will take forever if you’re using the /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt. Consider using wordlists that are using common names. If the wordlist is sorted alphabetically, the hit will be near the bottom…not a big fan of how long to wait on some of these assessments.

Hi MunAsqah, I have spent a week on this. could you please help me with the last question about DNS lab. thanks

When I am trying to dnsemum a server I keep getting query timed out. The script I am running is

$ dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt ns.inlanefreight.htb

I’m clearly doing something wrong but I cannot seem to figure it out can anyone please support?

Simple step by step would be great as Iam Neurodiverse and reading between the lines isn’t a strength of mine haha

@james.clare Look at your --dnsserver argument and think about what it’s doing. Is that the IP you should be querying? Google that IP address and learn about what it is. Then think about where your queries should be going.

I’m still stuck. I’m not able to make out all the hints that people gave in here. I would really appreciate if anyone could give me somemore hints or can provide me any resources so that I could understand this topic well

Would someone explain why my dnsenum keeps timing out: app.inlanefreight.htb. NS record query failed: query timed out

running this: sudo dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f /home/ethhack/Seclists/Discovery/DNS/fierce-hostlist.txt app.inlanefreight.htb.
dnsenum VERSION:1.2.6

Everytime i’m looking for clues i always see you invested here helping people. Thanks a lot man!


For anyone still stuck on these questions: I was too and for 2 days ran through list after list enumerating all of inlanefreight.htb. However i was going about enumerating the wrong place. It is a subdomain to enumerate with one of those lists (SecLists) whether you downloaded it or use pwnbox. And if you dig axfr it will show you more servers. then i dig any one by one to see what it showed. picked one that has SOA entry. Hope this helps more specifically