How to do it...

Working with host command:

1. DNS servers are address books; for this reason normally they will divulge at least some information regarding the domains they are the authority for. The host command is a utility that performs DNS lookups. So we can use the host command to investigate information about our target domain. We can use the -a flag to do a comprehensive look up or use the -t flag followed by the type to get specific:

1. The following command will reveal the nameservers associated with google.com:

        host -t ns google.com

1. The following command will reveal the mail server details for the domain:

        host -t mx google.com

1. At a minimum now we should have DNS and mail servers responsible for google.com, but what else can we find associated with the domain google.com? In the previous exercise, we already found some web servers associated. Let’s take a closer look:

        host google.com

1. What if we try something that doesn’t exist? What can we expect as a result?

        host madeupsub.google.com

1. We get an error stating that the subdomain was not found. Knowing this, we could test subdomains to see whether they exist. Some popular subdomain are mail, blog, ftp, dev, admin, wiki, and help. Of course, this is not a comprehensive list and there could be subdomains that are not common at at all.
2. We can also perform zone transfers with the host command. In order to do this, we need the domain we are analyzing, along with the nameserver address. Keep in mind generally DNS is configured in such a way as to not allow transfers. Let's attempt to do a transfer of google.com using the nameserver we found earlier, ns1.google.com:

1. Sometimes an organization may have a large number of nameservers. In these cases, it makes sense to automate this process.
2. In the bash script that follows, we first generate a list of nameservers for a given domain, then we iterate over each nameserver, attempting a zone transfer:

        #!/bin/bash

        if [ ! $1 ]; then 
        echo "Usage: #./dns-find-transfer.sh <domain>"; 
        exit; 
        fi


        for server in $(host -t ns $1 |cut -d" " -f4);do
        printf $server | sed 's/.$//'
        host -l $1 $server |grep "Address: " | cut -d: -f2 |
         sed 's/...$//'
        done

1. We can now run our script and view the results: