loading
Loading content
loading
DNS enumeration pulls the records a domain publishes to build a picture of its infrastructure. A records and AAAA records map names to IP addresses, MX records reveal mail providers, NS records show which servers are authoritative, and TXT records often leak SPF entries, verification tokens, and the names of SaaS vendors a company uses. A misconfigured server may even allow a full zone transfer (AXFR), handing over every record in one request.
In reconnaissance this is one of the first steps because it costs little and exposes a lot. The records point to cloud regions, third-party services, and naming conventions that guide deeper probing, and the IPs anchor later port scanning. DNS enumeration sits next to subdomain enumeration in the early recon phase, and pairs with passive DNS data to recover records that no longer resolve but still reveal past infrastructure.
Watch the line between active and passive collection. Direct queries and zone-transfer attempts touch the target's servers, while passive sources keep you off them entirely.
In a Trickest workflow you query record types in parallel across a domain list, fold in passive sources, and diff results over time so new mail providers or staging hosts surface as soon as the records change.
Related terms