The Linux Host Command
This Tutorial is about DNS tips and tricks.
By Fahad Usman
DNS or Domain Name Servers help you translate the URL to their IP addresses. For humans, it is easy to remember www.google.co.uk as compared to 18.104.22.168 which is the IP address of google.co.uk.
So this means that when you type www.google.co.uk in your Internet Browser such as IE, Chrome or Firefox the ISP looks up the DNS server to find the ip address and redirects you to the correct address of google.co.uk.
host is a command line linux utility for performing DNS lookups. It can be used to convert names to IP addresses to domain names and vice versa. You can get its command line arguments by typing host in the terminal.
“Class aptent taciti sociosqu ad litora per conubia nostra, per inceptos himenaeos .Aenean non turpis vitae ligula tristique sagitt isras varius erat pulvinar eros pretium”
You can specify a name of the domain name that you want to pull information from. You can also specify an IPv4 address or an IPv6 address (colon delimited). It will perform a reverse lookup for that IP address.
The server is an optional argument that is either the name or IP address of the name server that host should query instead of the server or servers listed in /etc/resolv.conf.
Here is the normal syntax:
Find Nameserver: A nameserver maintains a directory of domain names that match certain IP addresses. In other words, it’s where the DNS server records for your domain are stored, allowing you to decide which hosting providers controls your webspace and email.
host -t ns fahadusman.com
fahadusman.com name server tina.ns.cloudflare.com.
fahadusman.com name server buck.ns.cloudflare.com.
-t specifies the type of record. ns means nameserver and then the domain name. So I asked for nameservers for my website fahadusman.com and it returned that.
Find IPv4 address: if you want to look for IP address you can:
host -t a fahadusman.com
fahadusman.com has address 22.214.171.124
fahadusman.com has address 126.96.36.199
Find IPv6 address of a host:
We can find out AAAA record, also known as “IPv6 address record“, maps a hostname to a 128-bit IPv6 address in the Domain Name System (DNS)
host -t aaaa google.co.uk
google.co.uk has IPv6 address 2a00:1450:4009:805::2003
Find MX records, a mail server responsible for accepting email messages on behalf of a recipient’s domain, and a preference value used to prioritize mail delivery if multiple mail servers are available.
host -t mx target.com
target.com mail is handled by 5 smtp02.target.com.
target.com mail is handled by 5 smtp01.target.com.
Find SOA (Start of Authority) records: Every domain must have a Start of Authority record at the cutover point where the domain is delegated from its parent domain. For example if the domain mycompany.com is delegated to DNSimple name servers, we must include an SOA record for the name mycompany.com in our authoritative DNS records. We add this record automatically for every domain that is added to DNSimple.
host -t soa target.com
target.com has SOA record tezttsdcx01p.extdns.target.com. hostmaster.target.com. 2005139024 28800 3600 604800 3600
The SOA record includes the following details:
- The primary name server for the domain, which is
tezttsdcx01p.extdns.target.comor the first name server in the vanity name server list for vanity name servers.
- The responsible party for the domain, which is
- A timestamp that changes whenever you update your domain.
- The number of seconds before the zone should be refreshed.
- The number of seconds before a failed refresh should be retried.
- The upper limit in seconds before a zone is considered no longer authoritative. i.e. expiry =
- The negative result TTL (for example, how long a resolver should consider a negative result for a subdomain to be valid before retrying).
FTP and SSH address: some times targets do have ftp or ssh addresses as well. you can enumerate by:
host -t a ssh.target.com
ssh.target.com has address 188.8.131.52
Get sub domains of primary domain by Sublist3r: A tool already available in Kali
sublist3r -d microsoft.com -p 80 -e Bing,Google
Here we are trying to get a list of microsoft’s sub-domains i.e. port 80 via Bing and Google search
Using https://www.netcraft.com: A handy tool to see what’s the site is running among other info.