DNSRecon

DNSRecon is my go-to tool for DNS recon and enumeration. In this example, we will request a zone transfer from domain.foo. The DNS server running at domain.foo will return all of the records that it is aware of for domain.foo and any subdomains associated with it. This gives us the name of servers with their respective hostnames and IP addresses for the domain. It returned all DNS records, which were TXT records (4), PTR records (1), MX records for mail servers (10), IPv6 A records (2), and IPv4 A records (12). The records provide some really juicy information about the network. One record shows the IP address of their DC office, another shows the IP address of their firewall appliance, another shows that they have a VPN and its IP address, and another record shows the IP address of the mail server login portal, as shown in the following screenshot:

 dnsrecon -d zonetranfer.zone -a
 -d: domain
 -a: perform zone transfer