DNS

• https://youtu.be/SRmvRGUuuno?t=196
• https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

Dig

dig @10.129.1.243 BLACKFIELD.LOCAL
dig any @10.129.1.243 BLACKFIELD.LOCAL # Sometimes have to guess the domain
dig axfr @10.129.1.243 BLACKFIELD.LOCAL # Zone transfer would list all the known subdomains

NSlookup

https://github.com/A1vinSmith/OSCP-PWK/search?q=axfr

Subbrute after found the nameserver

https://github.com/A1vinSmith/subbrute?organization=A1vinSmith&organization=A1vinSmith

Always do another zone transfer after found something interesting above

nslookup -type=any -query=AXFR XX.inlanefreight.NEW ns.somenameserverbeenfound.above