While doing some subdomain brute forcing/enumeration on a target today, the target domain in question had wildcard DNS resolution enabled. So, when a query was made to determine if the subdomain example.domain.com was in existence, the response provided was “yes”. This is not ideal because that subdomain does not actually exist. Our goal with DNS subdomain enumeration is to identify potential entry points into a network and then identify running services that might be exploitable.
To work around the issue with DNS wildcard resolution, consider using negative matching with grep in order to filter out all of the wildcard resolution responses – which are basically junk to us. The following command provides an example of subdomain enumeration while also combing negative matching with grep:
dnsrecon -d domain.com -D /wordlists/deepmagic.com_top50kprefixes.txt -t brt -f -n 22.214.171.124 –iw | grep -v 126.96.36.199