WHOIS & Domain Enumeration

Basic WHOIS Lookup

Command-Line WHOIS

Basic domain WHOIS lookup

whois $ip

Query a specific WHOIS server

whois -h whois.verisign-grs.com $ip

Show detailed results (Linux)

whois --verbose $ip

Online WHOIS Services

Whois Lookup (ICANN)

Whois Domain Tools

WhoXY

Extracting Nameservers & DNS Records

Query Nameservers

nslookup -type=NS $ip

dig NS $ip

host -t ns $ip

Query MX Records (Mail Servers)

nslookup -type=MX $ip

dig MX $ip

host -t mx $ip

Query TXT Records (SPF, DKIM, DMARC, etc.)

nslookup -type=TXT $ip

dig TXT $ip

host -t txt $ip

Subdomain Enumeration

Brute-Force Subdomains

sublist3r -d $ip

amass enum -d $ip

assetfinder --subs-only $ip

dnsrecon -d $ip -t brt

Passive Subdomain Enumeration

• crt.sh → Certificate Transparency logs

• ThreatCrowd → OSINT subdomain lookup

• VirusTotal → Find subdomains via DNS queries

Zone Transfer (AXFR Attack Check)

Try Zone Transfer (If Misconfigured)

dig AXFR example.com @ns1.$ip

host -l example.com ns1.$ip

dnsrecon -d $ip -t axfr

Reverse DNS Lookup

Find Domain Associated with an IP

nslookup $ip

dig -x $ip

host $ip

Find Subdomains via Reverse Lookups

dnsrecon -r 192.168.1.0/24

fierce -dns $ip

Use DNS module for reverse lookups

recon-ng

Online DNS & WHOIS Tools

• SecurityTrails → Historical DNS records

• Spyse → Advanced domain intelligence

• Robtex → DNS & network graphing

• ViewDNS.info → DNS & WHOIS lookup tools

Automation & OSINT Tools for Domain Intelligence

• theHarvester → Email, subdomains, and hosts reconnaissance

• Subfinder → Fast passive subdomain discovery

• Amass → OSINT-powered subdomain enumeration

• MassDNS → High-performance DNS resolver

• Nmap → Scan domains for open services

nmap -p80,443 $ip