Kali Linux Course -- Day 23 of 180
13%

Kali Linux Day 23 — Fierce DNS Reconnaissance Tutorial 2026

Mr Elite 14 min read Kali Linux Course -- Day 23
Kali Linux Day 23 — Fierce DNS Reconnaissance Tutorial 2026
KALI DAY 23
·
DNS Reconnaissance
·
← Kali Linux Course
Most subdomain enumeration tutorials teach you to run Subfinder, check crt.sh, and call it done. Those tools are essential — but they miss an entire category of DNS information that only active querying reveals. I’ve found internal VPN hostnames, staging environments, and mail server configurations in DNS zones that no certificate transparency log ever recorded. The tool that finds them is Fierce, and on Kali Linux Day 23 — Fierce DNS Reconnaissance Tutorial we’re going to run it properly.

Fierce does one thing that most enumeration tools skip: it attempts a DNS zone transfer before brute forcing. A successful zone transfer hands you every DNS record in the domain — internal hostnames, mail servers, dev environments, the complete map — in a single query. It fails more often than it succeeds these days, but when it works, it’s the single most efficient recon operation you can run.

🎯 What You’ll Master in Day 23

How DNS zone transfers work and why misconfigured servers hand attackers the complete network map
Running Fierce with default and custom wordlists against lab targets
The –traverse flag and why adjacent IP reverse lookups reveal hidden hosts
Building a complete active recon workflow combining Fierce with Subfinder and httpx
Recognising and documenting zone transfer misconfiguration as a finding

⏱️ 20 min read · Kali Linux required for Exercises 2 & 3

📋 Kali Linux Day 23 — Fierce DNS Reconnaissance Tutorial – Contents

  1. DNS Reconnaissance Fundamentals
  2. Zone Transfers — The Misconfiguration That Reveals Everything
  3. Running Fierce — Installation and Core Usage
  4. Advanced Fierce Techniques
  5. Full DNS Recon Workflow

DNS Reconnaissance Fundamentals

DNS reconnaissance maps the network infrastructure attached to a domain. Every subdomain that resolves to an IP is a potential attack surface — a web application, an admin panel, a mail server, a VPN gateway. The DNS system is designed to be publicly queryable, which means a significant amount of infrastructure information is available without triggering any authentication or intrusion detection.

The DNS record types most valuable in recon are A records (domain to IPv4), AAAA records (domain to IPv6), MX records (mail servers — often direct access to mailservers bypassing front-end security), NS records (authoritative nameservers — the targets for zone transfer attempts), CNAME records (aliases — reveal internal naming conventions), and TXT records (SPF, DMARC, verification tokens that leak technology stack information).

Active DNS reconnaissance differs from passive in one critical way: your IP address hits the target’s nameservers. Every query is logged. This means you must be within scope before running active DNS recon tools like Fierce, and you should understand what “scope” means in the context of DNS — most bug bounty programs explicitly permit subdomain enumeration but not active port scanning, so clarify before you run.

DNS RECORD TYPES — RECON REFERENCE
# Query specific DNS record types
dig target.com A # IPv4 addresses
dig target.com MX # Mail servers → bypass spam filters
dig target.com NS # Nameservers → zone transfer targets
dig target.com TXT # SPF, DMARC, tech stack leakage
dig target.com CNAME # Aliases → naming convention patterns
# Manual zone transfer attempt with dig
dig axfr target.com @ns1.target.com
; If successful: all DNS records returned
; If misconfigured: “Transfer failed” message
# Quick subdomain check
host dev.target.com # Does dev subdomain exist?
nslookup vpn.target.com # VPN gateway check

Zone Transfers — The Misconfiguration That Reveals Everything

A DNS zone transfer (AXFR request) is a legitimate DNS operation where secondary nameservers synchronise their records from the primary. The security issue arises when the primary nameserver is configured to allow transfers from any IP address — not just authorised secondaries. When that misconfiguration exists, any attacker can request the complete zone and receive every DNS record: internal hostnames, internal IP addresses, mail servers, dev and staging environments, VPN gateways.

Zone transfers were a common misconfiguration in the early 2000s and remain present in older infrastructure — internal DNS servers, small hosting providers, and legacy corporate DNS deployments that haven’t been audited. I’ve encountered zone transfer success on internal network assessments far more often than on external targets, particularly against Active Directory DNS servers that weren’t hardened after initial deployment.

securityelites.com
Zone Transfer Attack Chain
STEP 1 — Discover Nameservers
dig target.com NS → reveals ns1.target.com, ns2.target.com

STEP 2 — Attempt Zone Transfer
dig axfr target.com @ns1.target.com → test each nameserver

IF VULNERABLE — All Records Returned
dev.target.com → 192.168.1.50 (INTERNAL IP!)
vpn.target.com → 203.0.113.10
admin.target.com → 203.0.113.11
db-01.target.com → 10.0.0.5 (INTERNAL DB!)

REPORTING — Zone Transfer Misconfiguration
CWE-16: Configuration — Medium to High severity
Fix: restrict AXFR to authorised secondary IPs only

📸 Zone transfer attack chain. The severity rating depends on what the zone reveals — an external DNS zone showing only public-facing hosts is low severity. A zone revealing internal IP addresses, internal hostnames, and infrastructure naming conventions is High to Critical because it hands the attacker a network map they’d otherwise need weeks of scanning to build.

Running Fierce — Installation and Core Usage

Fierce is pre-installed on Kali Linux but may be an older version. I always run a quick update before DNS recon work — the wordlist and some detection logic have improved in recent versions. The core scan is a single command: fierce –domain target.com. What happens under the hood is: nameserver discovery via NS record query, AXFR zone transfer attempt against each nameserver, and wordlist-based subdomain brute forcing if the zone transfer fails.

FIERCE — INSTALLATION AND CORE COMMANDS
# Install / update Fierce
sudo apt update && sudo apt install -y fierce
fierce –help
# Basic domain scan (zone transfer attempt + brute force)
fierce –domain zonetransfer.me
# zonetransfer.me is a legal test domain that allows zone transfers
# Scan with custom wordlist
fierce –domain target.com \
–wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Set DNS server (use target’s nameserver for most accurate results)
fierce –domain target.com –dns-servers 8.8.8.8
# Add delay between queries (stealth)
fierce –domain target.com –delay 3
# Traverse adjacent IPs for reverse DNS
fierce –domain target.com –traverse 5
# Checks 5 IPs above and below each found IP for PTR records
# Save output
fierce –domain target.com 2>&1 | tee fierce_$(date +%Y%m%d).txt

🧠 EXERCISE 1 — THINK LIKE A HACKER (5 MIN · NO TOOLS)
Analyse a Zone Transfer — What Would You Do With This?

⏱️ 5 minutes · No tools required

Before running any tools, I always spend a few minutes thinking about what I’m looking for and what I’d do with what I find. This exercise is about that analysis step — you have a fictional zone transfer output, and you need to prioritise the findings.

SCENARIO: You’re testing shop.example.com (in scope).
The zone transfer returned these records:

shop.example.com → 203.0.113.5
www.example.com → 203.0.113.5
mail.example.com → 203.0.113.10 (MX record)
dev.example.com → 192.168.1.50 (internal IP!)
staging.example.com → 192.168.1.51 (internal IP!)
vpn.example.com → 203.0.113.20
admin.example.com → 203.0.113.25
db-01.example.com → 10.0.0.5 (internal IP!)
jira.example.com → 203.0.113.30
gitlab.example.com → 203.0.113.31

QUESTIONS:
1. Which 3 subdomains are highest priority for immediate web testing?
Explain why each one.

2. What does ‘dev.example.com → 192.168.1.50’ tell you?
Why is an internal IP appearing in external DNS dangerous?

3. You see vpn.example.com — what does this reveal and what
would you check next?

4. This zone transfer is itself a finding. Write a one-line
finding title and severity rating for the bug bounty report.

✅ Your highest priorities should be admin.example.com (admin panels are high-value targets), jira.example.com and gitlab.example.com (developer tooling often has weaker authentication and contains source code/credentials). The internal IPs on dev and staging reveal the internal network range (192.168.1.x and 10.0.0.x) — an attacker who later gets a foothold anywhere on that network now knows exactly where to pivot. The zone transfer finding itself: “DNS Zone Transfer Enabled — Full Network Map Disclosed” — severity Medium to High depending on what internal information it revealed.

📸 Share your priority list and finding title in #kali-linux.

Advanced Fierce Techniques

The –traverse option is the feature that separates Fierce from basic subdomain brute forcers. When Fierce finds an IP for a subdomain, it checks the surrounding IP space for reverse DNS entries. If dev.target.com resolves to 10.0.0.5, Fierce checks 10.0.0.1 through 10.0.0.10 for PTR records. This discovers servers that have PTR records but no forward A record — common for internal infrastructure where administrators set up reverse DNS but never intended to publish forward records externally.

FIERCE ADVANCED USAGE AND OUTPUT INTERPRETATION
# Wide subdomain brute force with traverse
fierce –domain target.com \
–wordlist /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt \
–traverse 10 \
2>&1 | tee fierce_full.txt
# Post-process: extract just the IPs and hosts
grep “Found:” fierce_full.txt | awk ‘{print $2, $3}’
# Feed found subdomains into httpx for live web check
grep “Found:” fierce_full.txt | awk ‘{print $2}’ > fierce_hosts.txt
httpx -l fierce_hosts.txt -status-code -title -tech-detect
# Compare fierce results with passive tools
subfinder -d target.com -o subfinder.txt
cat fierce_hosts.txt subfinder.txt | sort -u > all_subdomains.txt
# Combined list: passive + active coverage

⚡ EXERCISE 2 — KALI LINUX (LEGAL TARGET)
Zone Transfer Success: Run Fierce Against zonetransfer.me

⏱️ 15 min · Kali Linux · zonetransfer.me is a legal test domain

zonetransfer.me is maintained specifically as a practice target for zone transfer testing. Running Fierce against it gives you a real successful zone transfer output — the kind you might find on a vulnerable internal DNS server. Let me show you exactly what a successful zone transfer looks like in practice.

# Step 1: Verify Fierce installation
fierce –version
sudo apt install fierce -y # if needed

# Step 2: Run against the legal test domain
fierce –domain zonetransfer.me 2>&1 | tee fierce_zonetransfer.txt

# Step 3: Also try manual zone transfer with dig
dig axfr zonetransfer.me @nsztm1.digi.ninja

# Step 4: Count how many records were returned
grep -c “Found:” fierce_zonetransfer.txt

# Step 5: Identify interesting records
grep -E “internal|dev|staging|admin|vpn|mail” fierce_zonetransfer.txt -i

# Step 6: Run with traverse on the found IPs
fierce –domain zonetransfer.me –traverse 3 2>&1 | tail -20

✅ The zonetransfer.me domain intentionally has dozens of records including internal RFC1918 IP addresses, HR hostnames, finance server names, and other realistic internal infrastructure labels. When you see a real zone transfer on a pentest, the output looks like this — complete, detailed, and immediately actionable. Every hostname in a successful zone transfer is a potential test target. The internal IPs tell you the network structure even if you can’t reach them directly.

📸 Screenshot your zone transfer output and share in #kali-linux.

Full DNS Recon Workflow

My DNS recon workflow starts passive and moves active — passive tools first so I understand the scope before my IP starts appearing in nameserver logs. I run Subfinder and crt.sh certificate lookups before anything active, build an initial subdomain list, then layer in Fierce for the zone transfer attempt and active brute forcing. The combined output from passive and active tools gives the most complete picture of the target’s DNS infrastructure.

COMPLETE DNS RECON WORKFLOW
# Phase 1: Passive (no contact with target DNS)
subfinder -d target.com -o passive_subs.txt -all
curl -s “https://crt.sh/?q=%.target.com&output=json” | jq -r ‘.[].name_value’ | sort -u >> passive_subs.txt
# Phase 2: Active DNS recon (contact with target nameservers)
fierce –domain target.com \
–wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
–traverse 5 2>&1 | tee fierce_active.txt
# Phase 3: Combine and deduplicate
grep “Found:” fierce_active.txt | awk ‘{print $2}’ >> passive_subs.txt
sort -u passive_subs.txt > all_targets.txt
# Phase 4: Identify live web services
httpx -l all_targets.txt -status-code -title -tech-detect -o live_hosts.txt
# Phase 5: High-value targets for manual testing
grep -E “200|301|302” live_hosts.txt | grep -v “404” > active_web.txt

⚡ EXERCISE 3 — KALI LINUX (METASPLOITABLE OR DVWA LAB)
Full DNS Recon Workflow — Passive + Fierce + httpx Pipeline

⏱️ 20 min · Kali Linux · your own lab or practice targets only

Building the full workflow from scratch, end to end, is how the individual commands become muscle memory. I want you to run every phase below and have a combined subdomain list and live host report at the end.

OPTION A: Against a bug bounty target (within scope, your own account)
OPTION B: Against hackerone.com itself (publicly scoped recon practice)

# Phase 1: Passive enumeration
subfinder -d [target] -o subs_passive.txt
echo “Passive count: $(wc -l < subs_passive.txt) subdomains"# Phase 2: Certificate transparency curl -s "https://crt.sh/?q=%.[target]&output=json" | \ python3 -c "import json,sys; [print(x['name_value']) for x in json.load(sys.stdin)]" | \ sort -u >> subs_passive.txt
echo “With crt.sh count: $(wc -l < subs_passive.txt)"# Phase 3: Active — Fierce zone transfer attempt fierce --domain [target] 2>&1 | tee fierce_out.txt
grep “Zones:” fierce_out.txt # Did zone transfer succeed?

# Phase 4: Extract fierce finds
grep “Found:” fierce_out.txt | awk ‘{print $2}’ >> subs_passive.txt
sort -u subs_passive.txt > all_subs.txt
echo “Total unique: $(wc -l < all_subs.txt)"# Phase 5: Live host check httpx -l all_subs.txt -status-code -title -o live_hosts.txt echo "Live hosts: $(wc -l < live_hosts.txt)" cat live_hosts.txt | head -20

✅ The combination of passive enumeration, certificate transparency, and Fierce active brute forcing consistently finds 20-40% more subdomains than any single tool. The final live_hosts.txt is what goes into your testing notes — sorted by HTTP status code, it shows you exactly what’s live and responding. Any 200-status subdomains with titles like “Admin”, “Dashboard”, “Login”, or “Internal” go to the top of your testing priority list immediately.

📸 Share your final live host count and most interesting finding in #kali-linux.

✅ Day 23 Complete — Fierce & DNS Recon

Zone transfer attempts, subdomain brute forcing, traverse scanning, and the full passive-to-active DNS workflow. Day 24 moves to OWASP ZAP for automated web application scanning.


🧠 Quick Check

You run fierce –domain target.com and the first output line says “Trying zone transfer — nsztm1.target.com… Success!” What does this mean and what should you do immediately?



❓ Frequently Asked Questions

What does Fierce do?
Fierce attempts DNS zone transfers against a domain’s nameservers, then brute forces subdomains from a wordlist if zone transfers fail. It maps DNS infrastructure, identifies internal hostnames, mail servers, and dev/staging environments.
What is a DNS zone transfer?
An AXFR request where a secondary DNS server requests all records from the primary. When misconfigured to allow transfers from any IP, an attacker receives the complete DNS zone — every subdomain, internal hostname, and IP address in a single query.
Is Fierce legal to use?
Only against targets with explicit written permission. DNS queries are active — your IP appears in nameserver logs. Use zonetransfer.me for legal practice.
How is Fierce different from Subfinder or Amass?
Fierce is active DNS-specific: zone transfer attempts and DNS brute forcing. Subfinder/Amass use passive certificate transparency and OSINT sources. Use both: passive first for stealth, then Fierce for zone transfers and active brute forcing.
What wordlist does Fierce use by default?
Fierce’s built-in wordlist covering common subdomain prefixes. For deeper coverage, use –wordlist with SecLists DNS wordlists: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
What does the –traverse flag do?
Checks IPs adjacent to found ones for reverse DNS records — if dev.target.com is 10.0.0.5, –traverse 5 checks 10.0.0.1–10.0.0.10 for PTR records. Reveals hosts with reverse DNS but no forward records.
← Day 22

Shodan Tutorial — Search Engine for Hackers

Day 24 →

OWASP ZAP Tutorial — Automated Web Scanning

📚 Further Reading

ME
Mr Elite
Owner, SecurityElites.com
The most memorable zone transfer I found was on an internal network assessment, against an Active Directory-integrated DNS server that the client had never thought to restrict. The zone contained 847 records — every server, workstation, printer, and network device on the network, with internal hostnames that immediately mapped out the infrastructure. Database servers, domain controllers, backup systems — all labelled in the DNS. The whole network diagram fell out of a single Fierce command. The fix took the client five minutes to implement. The finding took five seconds to discover. That’s why I run Fierce against every DNS server I can legally reach.

dns recon kali fierce dns enumeration fierce dns reconnaissance tutorial kali linux fierce tool subdomain enumeration fierce
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free

Leave a Comment

Your email address will not be published. Required fields are marked *