I was working on an internal penetration test this week and I was not able to pull DNS records using any of the standard tools (dnsenum, dnsscan, ETC) but direct DNS queries for specific A records seem to work. So I wiped up a quick basic BASH script to read a txt file line by line for names to attempt and pipe that into bash. Here is what I came up with for anyone that ever finds them self in need.
while IFS=” read -r line || [[ -n “$line” ]]; do
dig $line.DOMAIN.LOCAL +nocomments +noquestion +noauthority +noadditional +nostats @LOCALDNSSERVER.LOCAL
done < “$1”
root@Rebel:/root/# ./dns-brute.sh dns1.txt | grep “IN”
DIG is used for the query.
dns1.txt is a text file with names to check one per line. the sleep statement just slows it up a bit. Want to stay under cover.
the grep allows us to just see the successful ones.